<span style="font-style: italic;">"My point is however that </span><br style="font-style: italic;"><span style="font-style: italic;">
the explorer program itself does not do this properly, and that anyone using explorer or "Internet explorer",</span><br style="font-style: italic;"><span style="font-style: italic;">
is vulnerable to attack from the web through at least telnet:// links."</span><br>
<br>Well you are assuming that the user already has a backdoor application named c:\telnet.exe that also means write access to c:\. You must be Administrator to have write permissions to C:\ so i don't see the risk <br><br>
I can see only one real attack scenario, unprivileged access to a Windows with FAT file system or incorrect acls that allows you to store c:\telnet.exe file. Anyway under that scenario , you should be able to trigger better attacks ;-)
<br><br>I agree with you that the the problem is due to bad coded applications but that's not a Windows API flaw.<br><br>Andres Tarasco<br><br><br><div><span class="gmail_quote">2006/5/21, Charles Morris <<a href="mailto:cmorris@cs.odu.edu">
cmorris@cs.odu.edu</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><br>
I understand that this issue is known, however different applications run CreateProcess in different ways,<br>
some use the lpApplicationName variable and some use lpCommandLine properly. My point is however that <br>
the explorer program itself does not do this properly, and that anyone using explorer or "Internet explorer",<br>
is vulnerable to attack from the web through at least telnet:// links.<br>
<br>
(at least proven with Hyperterminal as coincidently C:\WINNT\SYSTEM32\telnet.exe has no spaces)<br>
<br>
Other telnet clients installed to different directories (with spaces) will also trigger the problem.<br>
<br>
It seems to me that I (speaking from a web programmers point of view) should not be able to ask your computer<br>
to run executables at (what seems to me, at least) arbitrary paths.<br>
<br>
This is also a major problem in multiuser environments, as you can trick some windows services into running your applications.<br>
<br>
I have been notifying vendors one by one of their problem, if it is in their code,<br>
as it seems that nobody wants to really talk about the huge implications of this;<br>
maybe I am exaggerating the problem. what do you think?</div><div><span class="e" id="q_10b57c929582e1d9_1"><br>
<br><div><span class="gmail_quote">On 5/21/06, <b class="gmail_sendername">Andres Tarasco</b> <<a href="mailto:atarasco@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">atarasco@gmail.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>That's a well known issue and is documented at <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp
</a><br><br>Andres tarasco<br><br><div><span class="gmail_quote">2006/5/21, Charles Morris <<a href="mailto:cmorris@cs.odu.edu" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">cmorris@cs.odu.edu
</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"></blockquote></div><div><span>
Microsoft Explorer (iexplore.exe) calls CreateProcess() with<br>lpApplicationName = NULL. Instead, the lpCommandLine variable is used.<br>Unfortunateally, if the lpCommandLine variable is not quoted properly, the<br>function will attempt to load&execute multiple other applications in
<br>the following fashion:<br><br>lpCommandLine = C:\Program Files\Google\Google Talk\googletalk.exe<br>Will attempt to execute:<br>C:\Program.exe<br>C:\Program Files\Google\Google.exe<br>C:\Program Files\Google\Google Talk\googletalk.exe
<br><br>If Microsoft Hyperterminal is set up to be your default telnet client,<br>this behavior is known to be triggered from the web with a telnet:// style link.<br><br><br>Microsoft was notified, they told me it was a "non issue", that they
<br>coulden't reproduce it, and basically "dont worry about it". or<br>something. Unfortunateally although explorer.exe warns a user when the<br>file "C:\Program.exe" exists, it does not check any other paths,
<br>therefore it is not nearly a sufficient workaround.<br><br>--<br>Charles Morris<br> <a href="mailto:cmorris@cs.odu.edu" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">cmorris@cs.odu.edu
</a><br><br>Network Administrator<br>CS
Systems
Group Old
Dominion University
<br><a href="http://15037760514/%7Ecmorris" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://15037760514/~cmorris</a><br><br></span></div><div>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://secunia.com/</a><br>
</div></div><div><span><br><br clear="all"><br>-- <br>Loco de aTar
</span></div></blockquote></div><br><br clear="all"><br></span></div><div>-- </div><div><span class="e" id="q_10b57c929582e1d9_3"><br>Charles Morris<br> <a href="mailto:cmorris@cs.odu.edu" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
cmorris@cs.odu.edu</a><br><br>Network Administrator<br>CS
Systems
Group Old
Dominion University<br><a href="http://15037760514/%7Ecmorris" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://15037760514/~cmorris</a>
</span></div></blockquote></div><br><br clear="all"><br>-- <br>Loco de aTar