Hello,<br><br><div><span class="q"><span class="gmail_quote">On 08/11/06, <b class="gmail_sendername">Gadi Evron</b> <<a href="mailto:ge@linuxbox.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
ge@linuxbox.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Wed, 8 Nov 2006, onisan wrote:<br>> One thing is in this makes it even more interesting, most of the firewalls<br>> do not block this download, so it's smallest and most dangerous downloader<br>> at the same time :o
<br><br>What Alex did is very impressive! Matthew Murphy came up with the idea<br>originally, I think, but it doesn't take from this amazing work in any<br>way.<br>*awe struck*<br><br>I'd say more though, it's a vulnerability.
<br><br>If you can load a library remotely, and do so with no problems, it's a<br>vulnerability in Windows. I am not sure of what kind quite yet.</blockquote></span><div><br>Windows
handles UNC paths the same way as local paths. Another mechanism used
to load a remote dll using a UNC path is described in <a href="http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
</a><br>here the "system" directory is overwritten with a (unc)
directory owned by by the attacker. When GetSystemDirectoryW() is
called to load the faultrep.dll on exception, an attacker can supply
his backdoored faultrep.dll. I don't think you should classify this as
a vulnerability, it's known windows behaviour (yet, windows, a
vulnerability all by itself?).<br></div><br>Regards,<br><span class="sg">Thomas</span><span class="q"><br><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The mother of all downloaders.<br><br>"The Zone has a new King!" <we're not worthy x3><br> -- Jeff, Coupling (BBC, UK).<br><br> Gadi.<br><br>> -- G<br>><br>> 2006/11/8, Solar Eclipse <
<a href="mailto:solareclipse@phreedom.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">solareclipse@phreedom.org</a>>:<br>> ><br>> > On Tue, Nov 07, 2006 at 10:56:42AM -0800, Peter Ferrie wrote:
<br>> > > Why is the idata size present? AFAIK, no Windows version checks it.
<br>> > > Four bytes shorter, then (stop at the idata rva non-zero byte)?<br>> ><br>> > You're right, you can remove the last field and bring the file size down<br>> > to 133 bytes. That's what I get for claiming that the size can't be
<br>> > improved :-)<br>> ><br>> > Solar<br>> > _______________________________________________<br>> > Code-Crunchers mailing list<br>> > <a href="mailto:Code-Crunchers@whitestar.linuxbox.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Code-Crunchers@whitestar.linuxbox.org</a><br>> > <a href="http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
</a><br><br></blockquote></span></div>