[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

To: paul.szabo@xxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
From: James Condron <james@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 5 Sep 2011 01:43:33 +0100

Paul,

I only run windows on one machine, my workstation in the office, so my results 
aren't indicative of every system- indeed this may be a quirk of our AD, in 
which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, 
but both extensions you list were executable.

Admittedly I haven't checked all of the others yet, mileage may vary.

Either way there is no accounting for taste; some cases will make this less an 
attack in and of its self and more will show this as a further social 
engineering payload, albeit one which requires tricking someone to download 
several layers of code and still executing it.

On 4 Sep 2011, at 23:54, paul.szabo@xxxxxxxxxxxxx wrote:

>> Application: wscript.exe
>> Extensions: js, jse, vbe, vbs, wsf, wsh
>> Library: wshesn.dll
> 
> Many people commented that the above extensions are "executable"
> already, so are (should be) treated with caution, or that they
> can be trojaned directly without any DLL load shenanigans.
> 
> However... looking at
> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
> I do not see JS listed as executable, though JSE is listed.
> 
> Looking at
> http://msdn.microsoft.com/en-us/library/ms722429.aspx
> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
> machine, none of the above extensions are "designated".
> 
> Maybe DLL hijacking is useful for some of these file types, after all?
> 
> Cheers, Paul
> 
> Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney    Australia
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
  - From: paul . szabo

Prev by Date: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Next by Date: Re: [Full-disclosure] [SECURITY] [DSA 2200-1] nss security update
Previous by thread: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Next by thread: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Index(es):
- Date
- Thread