[prev in list] [next in list] [prev in thread] [next in thread]
List: ros-dev
Subject: Re: [ros-dev] [ros-diffs] [cfinck] 33571: Check if the
From: "Alex Ionescu" <ionucu () videotron ! ca>
Date: 2008-05-20 11:23:13
Message-ID: fc4563580805200423m254847e9q4c1d9628fd16b663 () mail ! gmail ! com
[Download RAW message or body]
Did you somehow forget to read the REST of my e-mail after my initial
"if that function failed, you're screwed anyway"?
Please come up with a valid exploitation technique for this fallback.
Please make sure it's doable from a non-admin account.
On Tue, May 20, 2008 at 5:08 PM, Filip Navara <xnavara@volny.cz> wrote:
> I will leave the issue of whether GetWindowsDirectory should be used
> or not aside (even though I believe it's good to use it), but in all
> honesty I couldn't ignore Alex's comment. The suggestion of fallback
> feels to me like if you had an internet banking account and you said
> "oh, well, if HTTPS doesn't work, let's just use HTTP, the system is
> probably already f*cked up enough that security doesn't matter
> anymore". This is exactly the type of attitude that introduces
> security holes into programs... Why would I go a long way to write a
> complicated code to avoid executable redirection if there's code
> elsewhere that doesn't follow the rules? Remember, the chain is only
> as strong as it's weakest link.
>
> F.
>
> On Mon, May 19, 2008 at 10:11 AM, Alex Ionescu <ionucu@videotron.ca> wrote:
>> If GetWindowsDirectory fails, you have much worse issues to worry
>> about than executable redirection.
>>
>> Also note that regedt32.exe is usually in the system32 directory, so
>> how is this a security/redirection issue exactly?
>>
>> This implies someone would have to:
>>
>> 1) Give you a malware regedit.exe in directory foo
>> 2) Give you the legitimate regedt32.exe in directory foo
>> 3) Somehow convince you to:
>> 3.1) Use regedt32 instead of regedit (few people even know this tool)
>> 3.2) Launch regedt32 from this "foo" directory instead of using
>> start/run regedt32
>>
>> The issue you're looking for just doesn't exist.
>>
>> 2008/5/19 FENG Yu Ning <fengyuning1984@gmail.com>:
>>> On Sun, May 18, 2008 at 7:28 PM, Alex Ionescu <ionucu@videotron.ca> wrote:
>>>>
>>>> Last nitpick: if you can't get the windows directory, just
>>>> ShellExecute "regedit.exe" directly, as the code originally did --
>>>> this is the behavior on Windows, fyi.
>>>>
>>>
>>> Though it is the behavior on Windows, it is a bad thing, IMHO. There are
>>> already too many little viruses who pretend to be a system executable, say,
>>> explorer.exe, and they are placed in a (sub)directory of the windows
>>> directory to be shell executed. If we can't get the windows direcoty, we
>>> should let the user know, and give them the chance to fix it, instead of
>>> blindly execute anything.
>>> I used to suffer from those, and they were really annoying. Please consider
>>> being different from Windows in this and similar issues.
>>> MHO.
>>>
>>> _______________________________________________
>>> Ros-dev mailing list
>>> Ros-dev@reactos.org
>>> http://www.reactos.org/mailman/listinfo/ros-dev
>>>
>>>
>>
>>
>>
>> --
>> Best regards,
>> Alex Ionescu
>>
>>
>>
>> --
>> Best regards,
>> Alex Ionescu
>> _______________________________________________
>> Ros-dev mailing list
>> Ros-dev@reactos.org
>> http://www.reactos.org/mailman/listinfo/ros-dev
>>
> _______________________________________________
> Ros-dev mailing list
> Ros-dev@reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
>
--
Best regards,
Alex Ionescu
_______________________________________________
Ros-dev mailing list
Ros-dev@reactos.org
http://www.reactos.org/mailman/listinfo/ros-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic