BugTraq
Binary Planting Goes "EXE" Sep 09 2010 12:04AM
ACROS Security Lists (lists acros si) (2 replies)
Re: Binary Planting Goes "EXE" Sep 09 2010 10:35PM
Stefan Kanthak (stefan kanthak nexgo de)
"ACROS Security Lists" wrote:

> For everyone interested in binary planting vulnerabilities, here's some new
> information on the EXE vector from our research.
>
> http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html

Tell news!

1) There is an equivalent to "SafeDLLSearchPath" for executables: see
<http://support.microsoft.com/kb/905890>, to be turned on with

[HKLM\System\CurrentControlSet\Control\Session Manager]
"SafeProcessSearchMode"=dword:01

2) You missed %HomeDrive%%HomePath% a.k.a. BASE directory: see
<http://support.microsoft.com/kb/246061>, to be turned off with either

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
plorer]
"StartRunNoHomePath"=dword:01

or

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\E
xplorer]
"StartRunNoHomePath"=dword:01

3) Planting a rogue executable C:\Program.{exe,com,...} (yes, this needs
administrative rights in the first place) may still work, even on
Windows 7 x64: just take a look at

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37efd44d-ef8d-41b1-940d-9697
3a50e9e0}\Shell\Open\Command]
@=expand:"%ProgramFiles%\Windows Sidebar\sidebar.exe /showGadgets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Gadgets\com
mand]
@="C:\Program Files\Windows Sidebar\sidebar.exe /showGadgets"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-
upnp-org:device:MediaServer:1\shell\Open Media
Player\command]
@=expand:"C:\Program Files\Windows Media Player\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open\command]
@=expand:"%ProgramFiles%\Windows Sidebar\Sidebar.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\Windows Media Player\shell\open\command]
@=expand:"%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shel
l\open\command]
@="C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Yes, even more than 15 years after introduction of "long" filenames
some developers still don't know how to properly quote command lines,
and their QA seems sound asleep!

Stefan Kanthak

[ reply ]
Re: Binary Planting Goes "EXE" Sep 09 2010 08:18PM
Christian Sciberras (uuf6429 gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus