Defense in depth -- the Microsoft way (part 88): a SINGLE command line shows about 20, 000 instances of CWE-73

2024-9-29 11:7:57 Author: seclists.org(查看原文) 阅读量:7 收藏

Hi @ll,

<https://cwe.mitre.org/data/definitions/73.html>
CWE-73: External Control of File Name or Path
is a well-known and well-documented weakness.

<https://seclists.org/fulldisclosure/2020/Mar/48> as well as
<https://skanthak.homepage.t-online.de/offender.html> demonstrate how to
(ab)use just one instance of this weakness (introduced about 7 years ago
with Microsoft Defender, so-called "security software") due to an
environment variable in the (registered) path name of an executable file
to gain execution of arbitrary code.

But that's of course not the only instance of this VERY EASY to exploit
weakness present in ALL versions of Windows since more than 30 (in words:
THIRTY) years -- start a command processor and run the following command
line to show about 20,000 instances of path names registered with (user-
controlled) environment variables:

    REG.exe QUERY HKEY_LOCAL_MACHINE /C /D /F "%*%\\" /S

stay tuned, and far away from the vulnerable crap made in Redmond
Stefan Kanthak

PS: just yesterday, Microsoft dared to publish

<https://www.microsoft.com/en-us/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secur
e-future-initiative-sfi/>,
    bragging "we've dedicated the equivalent of 34,000 full-time engineers
    to SFI-making it the largest cybersecurity engineering effort in history"
    What about dedicating the equivalent of just ONE full-time employee to
    every instance of just ONE ow Windows weaknesses?

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Full Disclosure mailing list archives

Current thread: