[Esa-l] New extension to add to list in sanitizer

Brett Glass brett at lariat.org
Tue Sep 19 12:15:22 PDT 2000


After reading what's below, I have added "dll" to MANGLE_EXTENSIONS.
Many e-mail clients keep all attachments in the same directory. So, 
if a user has EVER RECEIVED a rogue DLL, and then opens a perfectly
clean document in the attachment directory with a program that uses a 
common DLL by the same name, that DLL may be used. The document and 
the DLL can even arrive as two attachments to the same message, setting 
the trap without triggering a virus detector (which will see the document 
as OK).

--Brett

>Approved-By: aleph1 at SECURITYFOCUS.COM
>Delivered-To: bugtraq at lists.securityfocus.com
>Delivered-To: BUGTRAQ at SECURITYFOCUS.COM
>X-Mailer: Mozilla 4.7 [en] (Win98; I)
>X-Accept-Language: en
>Date:         Mon, 18 Sep 2000 20:17:46 +0200
>Reply-To: Markus Kern <markus-kern at GMX.NET>
>Sender: Bugtraq List <BUGTRAQ at SECURITYFOCUS.COM>
>From: Markus Kern <markus-kern at GMX.NET>
>Subject:      Re: Double clicking on MS Office documents from Windows Explorer
>              mayexecute arbitrary programs in some cases
>X-To:         Georgi Guninski <guninski at GUNINSKI.COM>
>To: BUGTRAQ at SECURITYFOCUS.COM
>
>The problem seems to be more general...
>
>Georgi Guninski <guninski at GUNINSKI.COM> wrote:
>>
>> Georgi Guninski security advisory #21, 2000
>>
>> Double clicking on MS Office dpocuments from Windows Explorer may
>> execute arbitrary programs in some cases
>
><snip>
>
>> If certain DLLs are present in the current direcotory and the user
>> double clicks on
>> a MS Office Document or launch the document from "Start | Run" then the
>> DLLs are executed.
>> This allows executing native code and may lead to taking full control
>> over user's computer.
>
><snip>
>
>This sounded interesting so I played around a little and I now think
>that it's not a MS Office specific problem but rather a "bug" in the OS.
>
>The "Win32 Programmer's Reference" states the following about
>load-time dynamic linking (LoadLibrary() uses the same sequence):
>
><quote>
>When the system starts a program that uses load-time dynamic linking, it
>uses the information in the file to locate the names of the required
>DLL(s).
>The system then searches for the DLLs in the following locations, in
>sequence:
>
>1. The directory that contains the module for the current process.
>2. The current directory.
>3. The Windows system directory. The GetSystemDirectory function
>retrieves the path of this directory.
>4. The Windows directory. The GetWindowsDirectory function retrieves the
>path of this directory.
>5. The directories listed in the PATH environment variable.
></quote>
>
>Assuming this, the following conditions must be met to reproduce the
>problem
>discovered by Georgi Guninski:
>
>1. The DLL you want to fake must not have been loaded into memory by any
>program yet.
>Windows will use the copy already in memory in that case.
>2. The targeted program (e.g. MS Word) must not have the DLL in the same
>directory as
>it's executable.
>
>If the program is executed under this conditions, by clicking on a
>associated file, the
>DLL in the current directory (which is the one the the file you click on
>is in) is used.
>
>-- Markus Kern
>
>+---------------------------------------------------------------------+
>| "Microsoft saves the day! They're just so damn efficient at helping |
>|  us hack their own product..." -- Rain Forest Puppy                 |
>+---------------------------------------------------------------------+





More information about the esd-l mailing list