Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Security Bug in MSVC

from [ad@heapoverflow.com] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Security Bug in MSVC
Date: Tue, 17 Jan 2006 23:34:16 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I think ms wont fixe any bug in vstudio, I have told them if they will
fix the vs2005 issue published recently and they said me exactly what
is on your support page:

"Only open project files that come from trusted sources."


or "Only open WMF files that come from trusted sources." would have
been less effort than releasing a patch then lol :D


Morning Wood wrote:

------------------------------------------------------------ -
EXPL-A-2006-002 exploitlabs.com Advisory 048 -
------------------------------------------------------------

- MSVC 6.0 run file bug -




AFFECTED PRODUCTS ================= Microsoft Visual Studio 6.0
http://microsoft.com

Possibly other products referenced in:
http://support.microsoft.com/kb/841189



OVERVIEW ======== Source code project distributions are very
popular these days. Generally authors offer code as a project with
source, headers, and msvc project files if it is a fairly big
project. Most users will simply open up the project.dsw file, (
especialy if it says to do so in a readme.txt or other compiler
instructions ) which in turn loads the project.dsp files, which
provides the compiler directives. A malicious attacker could embed
commands to be executed in the project files, and execute any local
code of his choosing.

note: this is an implemented feature in MSVC, and should be
considered a bug, not a vulnerability.



IMPACT ====== The impact of this is quite severe, as it is possible
to script commands such as to launch ftp, retrieve and execute a
file from a remote location.




DETAILS ======= By modifying the .dsp files:

project settings custom build Commands: command to execute
Post-build Step: command to execute


1.a ==== InputPath=.\Release\hello.exe SOURCE="$(InputPath)"

"hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" calc

1.b ==== PostBuild_Cmds=notepad.exe



POC ====
http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip

extract, and open hello.dsw click "batch build, build" or "rebuild
all" code will execute ( calc.exe and notepad.exe used as an
example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands



SOLUTION ======== vendor contact: secure@microsoft.com Sept 20,
2005 http://support.microsoft.com/kb/841189 updated Jan 6, 2006

Microsoft provided these URL's as well:
http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp
 http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx




SUGGESTED PATCH =============== Include a dialog box that warns the
user, before pre and post build directives can be launched, if the
presence of execute directives exist in the build project files.




CREDITS ======= This vulnerability was discovered and researched by
 Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com mail:   morning_wood at zone-h.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ81w6K+LRXunxpxfAQKhqw/+PP3xy1cT5WmiEcFQ2QuU4eoFRbgw9ZnA
iFDvGqpZXblQuosDIx3jripRKDeshhJc00GbeMT3I9Fw1XrRbVPFETLV7IpitmPQ
jhOKo3pRxDp+mxpFOZpc9mDEhLb873j9un309Ahor29hLgnZ5b5O9J6YuWaFXkZN
FS9tBvVbypb5rqIPe5GpZzNO88tfqwC/xk9JG3qgpuAtgLM/hh7Dp8fpptKdylTA
LfK5OrH5HZ44uJmXxNbDfr8/XJk2Mv9SLC2UitT6DMk/02XfDAR7r2Dj1MnC6Toc
SV3Vv9w9tRHkc1/iKV7/cZyrd8fEi8ZJhgn8DgAeLM3OYTW1I+BpOnAiR58F9+KO
Zqj2QrY92sJTpXSIq2jswslMguAjkZF5jtmXYjzYSPx8w5xfNkjbLRHZ5vX6iZJC
yJXH7nod6OHyCdyLlQIdOsECEorj/bZ5OAlKlgOZrD79cOLCxkOKgrMaxmHIm/Jf
3t/elL4gVS/fvasSsn2Xdm44lzXCbxo/yDfK2wdIb/1tav5Ls9IHs/nO5t1uC5Pc
zx9YfGRjQeU7fTdnR9In7hVMzj36tgmmaiH7d1zPZU/7iFEczVxbtyVznN3uYrgB
1dLgRRA7LXtzzLpLKLIqsaf7cx9OiUpR4ajgWufPW6c8rOYq+uM3OJ1iHRzo1fD+
m929rPMgoP4=
=wrHF
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] PC Firewall Choices, Morning Wood
Next by Date:  Re: [Full-disclosure] Oracle Reports - Read parts of files via customize(fixed after 875 days), greybrimstone
Previous by Thread:  [Full-disclosure] Security Bug in MSVC, Morning Wood
Next by Thread:  Re: [Full-disclosure] Security Bug in MSVC, Stan Bubrouski
Indexes:  [Date] [Thread] [Top] [All Lists]