full-disclosure-uk September 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] KeePass version 2.12 &

Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)

From: Christian Sciberras <uuf6429_at_nospam>
Date: Thu Sep 09 2010 - 06:18:42 GMT
To: YGN Ethical Hacker Group <lists@yehg.net>

> I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
> with latest windows updates applied (as of Today -sept 09 2010).
Could be a virus/trojan from my XP machine might have caused some form
of immunity against this issue?
And perhaps my extensive meddling and customization somehow modify the
Windows 7 install beyond normal limits?
I very much doubt this. I used both bitness demos for what it's worth.

> Should I make movie to prove that like
Up till step 2 everything went fine. Step 3 went a little differently
- wab.exe opened, but no popup box opened with it.

Considering Acros highlighted how their POC was highly unstable
(they've frequently advised to try the program several times to get it
to work) I don't see such abnormal behaviour out of this world.

One last thing, rather than just running a random POC I've actually
looked into what's going on, via Process Monitor, and as far as it's
concerned, it always loaded the correct (ie, the original) dlls.

Cheers,
Chris.

On Thu, Sep 9, 2010 at 7:40 AM, YGN Ethical Hacker Group <lists@yehg.net> wrote:
> I must say I can't take your word according to my testing.
> I've tested on Clean Licensed Windows 7 Professional Edition 64-bit
> with latest windows updates applied (as of Today -sept 09 2010). I
> used Acros Security's 64 bit demo.
>
> Should I make movie to prove that like
> 1- Updating Windows (check for updates) ,
> 2 - Go to \\www.binaryplanting.com\demo\windows_address_book_64
> 3 - See the popup box
>
> ?
>
>
>
>
>
>
>
> On Thu, Sep 9, 2010 at 7:44 AM, Christian Sciberras <uuf6429@gmail.com> wrote:
>> That is what others said, yet it installed automatically on mine.
>> The only interaction was that I allowed it to be downloaded and
>> installed....not really geeky at all...
>>
>> I must say you'll have to take my word on it.
>>
>>
>>
>>
>> On Thu, Sep 9, 2010 at 1:36 AM, <paul.szabo@sydney.edu.au> wrote:
>>> Christian Sciberras <uuf6429@gmail.com> wrote:
>>>
>>>>>> MS issued a patch quite some time ago.
>>>> http://support.microsoft.com/kb/2264107
>>>
>>> That is not a "patch", not installed by default: is only for
>>> uber-geeks who manually install it. Was issued a week ago, in
>>> response to this kerfuffle, not "quite some time ago".
>>>
>>> Which setting of CWDIllegalInDllSearch did you choose: was it
>>> 0xFFFFFFFF which may be "safe", but is known to break Outlook
>>> (and others), as noted in
>>>
>>> DLL hijacking vulnerabilities
>>> http://isc.sans.edu/diary.html?storyid=9445
>>>
>>> (geeks can add further tweaks to the registry to fix).
>>>
>>> Cheers, Paul
>>>
>>> Paul Szabo psz_at_maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
>>> School of Mathematics and Statistics University of Sydney Australia
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/