> For everyone interested in binary planting vulnerabilities, here's some new
> information on the EXE vector from our research.
>
> http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html
Tell news!
1) There is an equivalent to "SafeDLLSearchPath" for executables: see
<http://support.microsoft.com/kb/905890>, to be turned on with
3) Planting a rogue executable C:\Program.{exe,com,...} (yes, this needs
administrative rights in the first place) may still work, even on
Windows 7 x64: just take a look at
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-
upnp-org:device:MediaServer:1\shell\Open Media
Player\command]
@=expand:"C:\Program Files\Windows Media Player\wmplayer.exe"
Yes, even more than 15 years after introduction of "long" filenames
some developers still don't know how to properly quote command lines,
and their QA seems sound asleep!
> For everyone interested in binary planting vulnerabilities, here's some new
> information on the EXE vector from our research.
>
> http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html
Tell news!
1) There is an equivalent to "SafeDLLSearchPath" for executables: see
<http://support.microsoft.com/kb/905890>, to be turned on with
[HKLM\System\CurrentControlSet\Control\Session Manager]
"SafeProcessSearchMode"=dword:01
2) You missed %HomeDrive%%HomePath% a.k.a. BASE directory: see
<http://support.microsoft.com/kb/246061>, to be turned off with either
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
plorer]
"StartRunNoHomePath"=dword:01
or
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer]
"StartRunNoHomePath"=dword:01
3) Planting a rogue executable C:\Program.{exe,com,...} (yes, this needs
administrative rights in the first place) may still work, even on
Windows 7 x64: just take a look at
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-9697
3a50e9e0}\Shell\Open\Command]
@=expand:"%ProgramFiles%\Windows Sidebar\sidebar.exe /showGadgets"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\com
mand]
@="C:\Program Files\Windows Sidebar\sidebar.exe /showGadgets"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-
upnp-org:device:MediaServer:1\shell\Open Media
Player\command]
@=expand:"C:\Program Files\Windows Media Player\wmplayer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command]
@=expand:"%ProgramFiles%\Windows Sidebar\Sidebar.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@=expand:"%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shel
l\open\command]
@="C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Yes, even more than 15 years after introduction of "long" filenames
some developers still don't know how to properly quote command lines,
and their QA seems sound asleep!
Stefan Kanthak
[ reply ]