Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
From: Christian Sciberras <uuf6429 () gmail com>
Date: Thu, 9 Sep 2010 08:18:42 +0200

I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
with latest windows updates applied (as of Today -sept 09 2010).
Could be a virus/trojan from my XP machine might have caused some form
of immunity against this issue?
And perhaps my extensive meddling and customization somehow modify the
Windows 7 install beyond normal limits?
I very much doubt this. I used both bitness demos for what it's worth.

Should I make movie to prove that like
Up till step 2 everything went fine. Step 3 went a little differently
- wab.exe opened, but no popup box opened with it.

Considering Acros highlighted how their POC was highly unstable
(they've frequently advised to try the program several times to get it
to work) I don't see such abnormal behaviour out of this world.

One last thing, rather than just running a random POC I've actually
looked into what's going on, via Process Monitor, and as far as it's
concerned, it always loaded the correct (ie, the original) dlls.

Cheers,
Chris.





On Thu, Sep 9, 2010 at 7:40 AM, YGN Ethical Hacker Group <lists () yehg net> wrote:
I must say I can't take your word according to my testing.
I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
with latest windows updates applied (as of Today -sept 09 2010). I
used Acros Security's 64 bit demo.

Should I make movie to prove that like
1- Updating Windows (check for updates) ,
2 - Go to \\www.binaryplanting.com\demo\windows_address_book_64
3 - See the popup box

?







On Thu, Sep 9, 2010 at 7:44 AM, Christian Sciberras <uuf6429 () gmail com> wrote:
That is what others said, yet it installed automatically on mine.
The only interaction was that I allowed it to be downloaded and
installed....not really geeky at all...

I must say you'll have to take my word on it.




On Thu, Sep 9, 2010 at 1:36 AM,  <paul.szabo () sydney edu au> wrote:
Christian Sciberras <uuf6429 () gmail com> wrote:

MS issued a patch quite some time ago.
http://support.microsoft.com/kb/2264107

That is not a "patch", not installed by default: is only for
uber-geeks who manually install it. Was issued a week ago, in
response to this kerfuffle, not "quite some time ago".

Which setting of CWDIllegalInDllSearch did you choose: was it
0xFFFFFFFF which may be "safe", but is known to break Outlook
(and others), as noted in

 DLL hijacking vulnerabilities
 http://isc.sans.edu/diary.html?storyid=9445

(geeks can add further tweaks to the registry to fix).

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]