Full Disclosure mailing list archives
RE: Flaws security feature of SP2
From: Juergen Schmidt <ju () heisec de>
Date: Mon, 16 Aug 2004 22:30:08 +0200 (CEST)
On Mon, 16 Aug 2004, Jonathan Rickman wrote:
Exploiting this issue requires the ability to overwrite existing files wich have a trusted or non-existant ZoneID.
Ok. So if I have the ability to do that, isn't it safe to say that I already control the box?
Not necessarily. If your file is not executed, because it has ZoneID=3 -- you might loose. But there is another point: Let's assume, that other programms like WinZIP, Mozilla, Eudora start setting/using ZoneIDs. There will be a lot of potential for additional, unnecessary problems, because Explorer in some cases uses the ZoneID of old files, that do no longer exist. Let's assume, I download a file with XYZ named hello.exe and I accept to overwrite the existing hello.exe. hello.exe is overwritten by XYZ and set to the proper (new) ZoneID=3. Should Explorer give a warning, when I start it? Of cause it should. Is it a bug, if Explorer does not warn? Of cause it is. Does it need to be fixed? Of cause it does.
"... we don't see these issues as being in conflict with the design goals of the new protections. ... we do not see these as issues that we would develop patches or workarounds to address."
I'm inclined to agree with them. I see the potential for problems as you have pointed out, but I guess I need a little help in understanding how this could ever be more than a theoretical vulnerability. Could you perhaps elaborate and maybe toss in a hypothetical situation or two to help me see what you're driving at?
I guess I need a little help in understanding, how using wrong security information could ever be something else than a bug. Could you perhaps elaborate and maybe toss in an example or two where such a bug in a security function does not need to be fixed to help me see what you're driving at? I admit, that you can argue, that SP2 does not intend to cover all possible execution paths -- so Microsoft might have a point there. But what are ZoneIDs on dowloaded files good for, if they cover only a small subset of execution paths. So lets create a *hypothetical* situation Assume: - we want to install a trojan from a web site. - there is an IE bug that allows execution of cmd with arguments (there were a couple of those already) - there is an IE bug, that allows guessing the location of temp files (afaik we had those too) Now you need a way to download your trojan file and have it executed. You've got it with the cmd issue. With it you can simply include evil.gif in an image tag and execute cmd /c <temp_path>\evil.gif Here we go: Download.Ject2 despite of ZoneID=3 on evil.gif On the other hand, you can argue again, lets close the first two holes and we are safe. As i said: with cmd, you can argue... bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju () heisec de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Flaws security feature of SP2 Juergen Schmidt (Aug 16)
- Re: Flaws security feature of SP2 Barrie Dempster (Aug 16)
- RE: Flaws security feature of SP2 Jonathan Rickman (Aug 16)
- RE: Flaws security feature of SP2 Juergen Schmidt (Aug 16)
- <Possible follow-ups>
- RE: Flaws security feature of SP2 Verma, Sachin (Aug 16)