Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability

From: jf <jf () ownco net>
Date: Wed, 8 Sep 2010 17:05:16 -0500
... my understanding of the issue was not the default library search
path, but rather that people are using SearchPath() or similar to locate
DLLs which they then pass to LoadLibrary() ...


And, people loading DLLs they do not need, for OS version detection.
(Maybe others?)


I still don't see how this is really MSFTs fault. I mean, there's defined APIs for getting the version, theres a fairly 
clear warning on MSDN for LoadLibrary & SearchPath; isn't this akin to blaming the OS vendor for the app vendor 
improperly using strcpy?

 


An "exploit scenario" for nmap: send a ZIP (or somesuch) archive to
the victim, containing a data file and a "hidden" DLL, with message:
  Hey, these seem infected with conficker, check with nmap
and the victim using "nmap -iL datafile" from current dir.


Yeah, good luck with that.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: