New (but really - old) Windows .lnk vulnerability
in [Viruses]
|
Prev: Anti-Virus Best one
Next: Win32/RAMNIT.A Anyone?
From: "FromTheRafters" erratic on 25 Jul 2010 08:58 "Ant" <not(a)home.today> wrote in message news:49adnS4hc88yxNXRnZ2dnUVZ8gWdnZ2d(a)brightview.co.uk... > "FromTheRafters" wrote: > >> "Ant" wrote: >>> The bug has been around for so long that I'm surprised it hasn't been >>> exploited earlier. Reminds me of the WMF vulnerability but worse. >> >> ...or this: >> >> http://en.wikipedia.org/wiki/Format_string_attack >> >> Sometimes, the blackhats can keep a secret for an extended period. > > An old problem, indeed, but not at all similar. It's not an auto- > execute thing. Any program written in C or other languages using > printf-like functions with a variable number of arguments and > accepting unchecked input is a risk. That's just very bad programming; > really, a newbie mistake. Not at all similar, except in respect to the surprise aspect you mentioned. Sometimes things are around for a long time before knowledge of them becomes public.
From: "FromTheRafters" erratic on 25 Jul 2010 09:04 "Virus Guy" <Virus(a)Guy.com> wrote in message news:4C48D1A6.BDA146FE(a)Guy.com... > FromTheRafters wrote: > >> >> Ok. If I can find a spare hard disk I might check Win ME. >> > >> > Won't matter. The malformed .lnk file (as published) doesn't work >> > on 9x/ME. >> >> I'm reasonably sure that Ant is capable of otherwise "porting" it >> for Win ME to test for himself > > I didn't say he wasn't capable. > > I'm saying that there isin't enough of a difference in ME's shell > compared to win-98se that would make it vulnerable to this exploit. I see. I was just reacting to the "as published" .lnk file. The 'as published' exploit may have been NT *vector* specific but not actually exclusive (once ported) as a demonstatable vulnerability for 9x.
From: Dustin on 25 Jul 2010 18:31 "FromTheRafters" <erratic @nomail.afraid.org> wrote in news:i2hcd4$kun$1(a)news.eternal-september.org: > "Ant" <not(a)home.today> wrote in message > news:49adnS4hc88yxNXRnZ2dnUVZ8gWdnZ2d(a)brightview.co.uk... >> "FromTheRafters" wrote: >> >>> "Ant" wrote: >>>> The bug has been around for so long that I'm surprised it hasn't >>>> been exploited earlier. Reminds me of the WMF vulnerability but >>>> worse. >>> >>> ...or this: >>> >>> http://en.wikipedia.org/wiki/Format_string_attack >>> >>> Sometimes, the blackhats can keep a secret for an extended period. >> >> An old problem, indeed, but not at all similar. It's not an auto- >> execute thing. Any program written in C or other languages using >> printf-like functions with a variable number of arguments and >> accepting unchecked input is a risk. That's just very bad >> programming; really, a newbie mistake. > > Not at all similar, except in respect to the surprise aspect you > mentioned. Sometimes things are around for a long time before > knowledge of them becomes public. > > > I could have sworn this exploit had been discussed several years ago... -- "I like your Christ. I don't like your Christians. They are so unlike your Christ." - author unknown.
From: FromTheRafters on 25 Jul 2010 19:19 "Dustin" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9DC0BCCCEFE3EHHI2948AJD832(a)69.16.185.250... > "FromTheRafters" <erratic @nomail.afraid.org> wrote in > news:i2hcd4$kun$1(a)news.eternal-september.org: > >> "Ant" <not(a)home.today> wrote in message >> news:49adnS4hc88yxNXRnZ2dnUVZ8gWdnZ2d(a)brightview.co.uk... >>> "FromTheRafters" wrote: >>> >>>> "Ant" wrote: >>>>> The bug has been around for so long that I'm surprised it hasn't >>>>> been exploited earlier. Reminds me of the WMF vulnerability but >>>>> worse. >>>> >>>> ...or this: >>>> >>>> http://en.wikipedia.org/wiki/Format_string_attack >>>> >>>> Sometimes, the blackhats can keep a secret for an extended period. >>> >>> An old problem, indeed, but not at all similar. It's not an auto- >>> execute thing. Any program written in C or other languages using >>> printf-like functions with a variable number of arguments and >>> accepting unchecked input is a risk. That's just very bad >>> programming; really, a newbie mistake. >> >> Not at all similar, except in respect to the surprise aspect you >> mentioned. Sometimes things are around for a long time before >> knowledge of them becomes public. >> >> >> > > I could have sworn this exploit had been discussed several years > ago... A decade in the case of format string attacks.
From: Dustin on 25 Jul 2010 22:01
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:i2igpt$ov3$1 @news.eternal-september.org: >> I could have sworn this exploit had been discussed several years >> ago... > > A decade in the case of format string attacks. I still blame lazy programmers for that. Seriously, how much more time does it take a person to write the code to verify the buffer has enough room for the string; and to invalidate bad configuration data? :( -- "I like your Christ. I don't like your Christians. They are so unlike your Christ." - author unknown. |