Re: Internet Explorer 7 - Still Spyware Writers' Heaven

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Sat, 4 Nov 2006 14:03:32 +0100
In-reply-to: <3da3d8310611031825m28b39c62p613a8545a5a4cff6@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Kachkeis Liebhaber CoKG
References: <8beca820611011407q3787ff52o4f5bc06cd8103ae0@xxxxxxxxxxxxxx> <096A04F511B7FD4995AE55F13824B83319836E@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <3da3d8310611031825m28b39c62p613a8545a5a4cff6@xxxxxxxxxxxxxx>
Reply-to: Thierry Zoller <Thierry@xxxxxxxxx>

Dear list,

>therefore Windows will search for this file in the user's
>machine using the directories provided in the PATH environment
That is a bit simplistic, it will search a lot more then the PATH
prior to that. (See list at the bottom)

>desktop), and the next time the user will run IE7 the code of the
>attacker's file will be executed instead of the original DLL file.

According to the list this should not be the case as the PATH
statemetn is checked ONLY if every other paths have been already
searched for that DLL, (I have seen this
too), so either the list offered on the MS site is wrong or ?

Hint: USE  "Safe DLL Search Order" as offered by Microsoft.

Vulnerability of not using "Safe DLL search" as defined by Micrsoft on
this page : 
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch10n.mspx

"If a user unknowingly executes hostile code that was packaged with additional 
files that
include modified versions of system DLLs, the hostile code could load its own 
versions
of those DLLs and potentially increase the type and degree of damage
the code can render."

----------------------------------------------------------------------------------------

Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended)

This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode 
(recommended) in the SCE.
The dynamic-link library (DLL) search order can be configured to search for 
requested DLLs in one of two ways:

If SafeDllSearchMode is configured to 1, the search order is as follows:
•  The directory from which the application loaded.
•  The system directory.
•  The 16-bit system directory. There is no function that obtains the path of 
this directory, but it is searched.
•  The Windows directory.
•  The current directory.
•  The directories that are listed in the PATH environment variable.


If SafeDllSearchMode is configured to 0, the search order is as follows:
•  The directory from which the application loaded.
•  The current directory.
•  The system directory.
•  The 16-bit system directory. There is no function that obtains the path of 
this directory, but it is searched.
•  The Windows directory.
•  The directories that are listed in the PATH environment variable.



This is the reason WHY I added the feature call "Enable Safe DLL
Search Order" to Secure-it (http://www.sniff-em.com/secureit.shtml)


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

References:
- Internet Explorer 7 - Still Spyware Writers' Heaven
  - From: avivra
- RE: Internet Explorer 7 - Still Spyware Writers' Heaven
  - From: Roger A. Grimes
- Re: Internet Explorer 7 - Still Spyware Writers' Heaven
  - From: Eliah Kagan

Prev by Date: IF-CMS multiples XSS vunerabilities
Next by Date: @cid stats v2.3 File Include
Previous by thread: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
Next by thread: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
Index(es):
- Date
- Thread