[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
- To: Stefan Kanthak <stefan.kanthak@xxxxxxxx>
- Subject: Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account
- From: Gynvael Coldwind <gynvael@xxxxxxxxxxx>
- Date: Fri, 25 Jul 2014 13:43:09 +0200
Well it was discussed a couple of times recently on FD that this is a bug,
but it's not a privilege escalation.
If you are admin (and you did mention that it's a prerequisite) you can
execute code as other users anyway - so there's no *escalation* here.
Therefore it's not a security bug (unless you are using a super old version
of Windows with incorrect ACLs on c:\, which sounds like a bug in itself),
just a "normal" bug.
Not sure if FD is the right place for non-security bugs tbh.
Cheers,
On 25 Jul 2014 00:46, "Stefan Kanthak" <stefan.kanthak@xxxxxxxx> wrote:
> Brandon Perry wrote:
>
> > So, I am very curious how you are finding these? Have you automated this
> or
> > is it manual hand work?
>
> All my Windows installations have
> <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
> <http://home.arcor.de/skanthak/download/SENTINEL.DLL> preinstalled as
> C:\Program.exe and C:\Program.dll, so I'm notified when some poorly written
> program tries to execute them.
> The sentinels call MessageBox() with "MB_SERVICE_NOTIFICATION", so the
> messages are recorded in the event log too where I can find them later.
>
> I also preinstall an APPINIT.DLL <https://support.microsoft.com/kb/197571>
> which logs all command lines of programs linked to USER32.DLL to a file:
> filtering for "C:\Program " at column 1 lists all the culprits.
>
> My third source is a SAFER.Log <
> https://technet.microsoft.com/cc786941.aspx>
> where every execution attempt is logged, including the executables caller:
> filtering this for "\program.exe" or "\program.dll" lists all the culprits.
>
> So basically I just have to sit and wait...
>
> In case one of my customers was hit, and this did not happen during an
> installation, I have to interrogate them what they did... and hope they can
> remember with sufficient detail.
>
> But almost all hits occur during installations or the customization
> following
> an installation (here it was the import of existing mails into a new
> account),
> so these are not so difficult to reproduce.
>
> regards
> Stefan
>
> PS: of course it helps if 8.3 names are disabled and "C:\Program Files\"
> can't
> be aliased as C:\Progra~1\
> To achieve this just run FORMAT C: /FS:NTFS /S:Disable in Windows PE
> before you start the installation of Windows 7 and later.
> For Windows NT5.x you'll have to use \i386\MIGRATE.INF
>
> > On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak <stefan.kanthak@xxxxxxxx
> >
> > wrote:
> >
> >> Hi @ll,
> >>
> >> the import function of Windows Mail executes a rogue program
> C:\Program.exe
> >> with the credentials of another account, resulting in a privilege
> >> escalation!
>
> [...]
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/