Fwd: Insecure DLL Call in Windows
NaxoneZ .
naxonez at gmail.com
Wed May 14 15:50:31 EDT 2014
---------- Forwarded message ----------
From: NaxoneZ . <naxonez at gmail.com>
Date: 2014-05-14 21:40 GMT+02:00
Subject: Re: Insecure DLL Call in Windows
To: Richard Laager <rlaager at pidgin.im>
Sorry, I forgot to say you that this path dont exists in my system (really
is necesary?).
Regards and sorry for spam.
2014-05-14 21:39 GMT+02:00 NaxoneZ . <naxonez at gmail.com>:
The problem is that an malware can aproach this insecure call and plant a
> dll using the limited rights of the user.
>
> Normally the calls of this dll is in a "secure" folder like Windows or
> Program files because a limited user cant write in these directories.
>
> You can obtain other examples here:
> http://secunia.com/advisories/windows_insecure_library_loading/
>
> Regards and thanks :)
>
>
>
> 2014-05-14 21:13 GMT+02:00 Richard Laager <rlaager at pidgin.im>:
>
> On Wed, 2014-05-14 at 14:12 +0200, NaxoneZ . wrote:
>>
>> > How you can see if an attacker plant a dll in this paths (I tested
>> > with %USERPROFILE%\.gtk-2.0\engine\libwimp.dll with this
>> > DLL:
>> http://www.binaryplanting.com/demo/windows_address_book/wab32res.dll
>>
>> I'm not sure how this is any different than the fact that Pidgin, like
>> many programs, loads plugin DLLs from the user's home directory
>> ("profile" in Windows speak). Any program which supports plugins allows
>> the user to execute code.
>>
>> --
>> Richard
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140514/42438922/attachment.html>
More information about the security
mailing list