Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust

[H D Moore <sflist () digitaloffense net>]

Any chance you contacted Wehnus about it? The "hot fix" is just to open 
regedit, browse to this key, and place the path inside double quotes. 
Minor problem, but I am sure Matt would have appreciated an email first.

-HD

On Monday 16 January 2006 14:47, Thierry Zoller wrote:
> Dear  List,
>
> Small blurp I came around; when Wehntrust creates the autostart key
> it forgets to correctly quote the string in the key and thus may
> trigger an autostart of c:\program.bat|exe|com up-on reboot... [2]
>
> Quoting [1] :
> ^^^^^^^^^^^^
> -----------------------------------------------------------------------
> --- c:\program files\sub dir\program.exe,
>
> In this case, the system will successively expand the string when
> interpreting the file path, until a module is encountered to execute.
> The string used in the above example would be interpreted as follows:
>
>    c:\program.exe
>    c:\program files\sub.exe
>    c:\program files\sub dir\program.exe
> -----------------------------------------------------------------------
> ------
>
> [1]
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789
> .html [2] Only a real issue in Windows 2000, WinXP restricted
>     users don't have the right to write to c:\
> [3] http://secdev.zoller.lu
> [4] http://www.wehnus.com/