[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Defense in depth -- the Microsoft way
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Defense in depth -- the Microsoft way
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Sun, 19 May 2013 17:40:57 +0200
Hi @ll,
the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"
Note the unqualified path to the executable "msiexec.exe".
On Windows installations without the "SafeProcessSearchMode" hotfix
(cf. <http://support.microsoft.com/kb/905890>) or with this safeguard
turned off (cf. <http://msdn.microsoft.com/library/dd266735.aspx>,
which refers to <http://support.microsoft.com/kb/959426> alias MS09-015),
an executable "msiexec.exe" placed in the CWD or the users "base"
directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to
"%USERPROFILE%") can be run instead of the intended executable
"%SystemRoot%\System32\MsiExec.Exe".
The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.
JFTR: cf. <http://seclists.org/fulldisclosure/2011/Sep/160>
Stefan Kanthak
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/