Full Disclosure mailing list archives
"windows update activex"
From: Liu Die Yu <liudieyuinchina () yahoo com cn>
Date: Mon, 21 Jul 2003 12:08:35 +0800 (CST)
if there is some XSS hole in Windows Update site or if there is a bug in IE that allows to trick the URL,
then the attacker can use Windows Update ActiveX to:
reboot your machine;
get detailed information on computer - computer name,
hardware, isAdmin, etc.
BUT it's hard for the attacker to execute his EXE.
i've traced into the module("IUENGINE.TEXT").
they first create the
directory(API:"CreateDirectoryW")
then they download the EXE file to the newly created
directory. soon after that, they verify its digest
(API:"LSTRCMPIW"). at last they verify it with
"WinTrust.TEXT" - which i am unable to bypass. if any
of the check fails, they delete the
file(API:"DeleteFileW").
assuming we already got WINDOWSUPDATE.MICROSOFT.COM(
then we easily got MYCOMPUTER):
the only chance is:
"DeleteFileW" fails.
but chances are very very slim.
so generally speaking(generally speaking, we can't
break WinTrust), the maximum risk is "RebootMachine" -
nothing more.
just as a reminder
best wishes
die
-----------------------
umbrella.mx.tc - http://umbrella.mx.tc
safecenter - http://www.safecenter.net
make notes easily - http://domex.int.tc
_________________________________________________________
Do You Yahoo!?
国内电邮用户反垃圾调查拉开帷幕
http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.tech.yahoo.com/zhuanti/laji/index.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- "windows update activex" Liu Die Yu (Jul 20)
- Re: "windows update activex" Georgi Guninski (Jul 21)
- Re: "windows update activex" Liu Die Yu (Jul 21)
- Re: "windows update activex" Liu Die Yu (Jul 21)
- Re: "windows update activex" Liu Die Yu (Jul 21)
- Re: "windows update activex" Liu Die Yu (Jul 21)
- Re: "windows update activex" Georgi Guninski (Jul 21)
