Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Internet Explorer 7 - Still Spyware Writers' Heaven
From: Thierry Zoller <Thierry () Zoller lu>
Date: Sat, 4 Nov 2006 14:03:32 +0100

Dear list,

therefore Windows will search for this file in the user's
machine using the directories provided in the PATH environment
That is a bit simplistic, it will search a lot more then the PATH
prior to that. (See list at the bottom)

desktop), and the next time the user will run IE7 the code of the
attacker's file will be executed instead of the original DLL file.

According to the list this should not be the case as the PATH
statemetn is checked ONLY if every other paths have been already
searched for that DLL, (I have seen this
too), so either the list offered on the MS site is wrong or ?

Hint: USE  "Safe DLL Search Order" as offered by Microsoft.

Vulnerability of not using "Safe DLL search" as defined by Micrsoft on
this page : http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch10n.mspx

"If a user unknowingly executes hostile code that was packaged with additional files that
include modified versions of system DLLs, the hostile code could load its own versions
of those DLLs and potentially increase the type and degree of damage
the code can render."

----------------------------------------------------------------------------------------

Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended)

This entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE.
The dynamic-link library (DLL) search order can be configured to search for requested DLLs in one of two ways:

If SafeDllSearchMode is configured to 1, the search order is as follows:
•  The directory from which the application loaded.
•  The system directory.
•  The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
•  The Windows directory.
•  The current directory.
•  The directories that are listed in the PATH environment variable.


If SafeDllSearchMode is configured to 0, the search order is as follows:
•  The directory from which the application loaded.
•  The current directory.
•  The system directory.
•  The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
•  The Windows directory.
•  The directories that are listed in the PATH environment variable.



This is the reason WHY I added the feature call "Enable Safe DLL
Search Order" to Secure-it (http://www.sniff-em.com/secureit.shtml)


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]