Re: [Full-disclosure] Security Bug in MSVC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think ms wont fixe any bug in vstudio, I have told them if they will
fix the vs2005 issue published recently and they said me exactly what
is on your support page:

"Only open project files that come from trusted sources."


or "Only open WMF files that come from trusted sources." would have
been less effort than releasing a patch then lol :D


Morning Wood wrote:
> ------------------------------------------------------------ -
> EXPL-A-2006-002 exploitlabs.com Advisory 048 -
> ------------------------------------------------------------
>
> - MSVC 6.0 run file bug -
>
>
>
>
> AFFECTED PRODUCTS ================= Microsoft Visual Studio 6.0
> http://microsoft.com
>
> Possibly other products referenced in:
> http://support.microsoft.com/kb/841189
>
>
>
> OVERVIEW ======== Source code project distributions are very
> popular these days. Generally authors offer code as a project with
> source, headers, and msvc project files if it is a fairly big
> project. Most users will simply open up the project.dsw file, (
> especialy if it says to do so in a readme.txt or other compiler
> instructions ) which in turn loads the project.dsp files, which
> provides the compiler directives. A malicious attacker could embed
> commands to be executed in the project files, and execute any local
> code of his choosing.
>
> note: this is an implemented feature in MSVC, and should be
> considered a bug, not a vulnerability.
>
>
>
> IMPACT ====== The impact of this is quite severe, as it is possible
> to script commands such as to launch ftp, retrieve and execute a
> file from a remote location.
>
>
>
>
> DETAILS ======= By modifying the .dsp files:
>
> project settings custom build Commands: command to execute
> Post-build Step: command to execute
>
>
> 1.a ==== InputPath=.\Release\hello.exe SOURCE="$(InputPath)"
>
> "hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" calc
>
> 1.b ==== PostBuild_Cmds=notepad.exe
>
>
>
> POC ====
> http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip
>
> extract, and open hello.dsw click "batch build, build" or "rebuild
> all" code will execute ( calc.exe and notepad.exe used as an
> example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands
>
>
>
> SOLUTION ======== vendor contact: secure@xxxxxxxxxxxxx Sept 20,
> 2005 http://support.microsoft.com/kb/841189 updated Jan 6, 2006
>
> Microsoft provided these URL's as well:
> http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp
> http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx
>
>
>
>
> SUGGESTED PATCH =============== Include a dialog box that warns the
> user, before pre and post build directives can be launched, if the
> presence of execute directives exist in the build project files.
>
>
>
>
> CREDITS ======= This vulnerability was discovered and researched by
> Donnie Werner of exploitlabs
>
>
> mail: wood at exploitlabs.com mail: morning_wood at zone-h.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ81w6K+LRXunxpxfAQKhqw/+PP3xy1cT5WmiEcFQ2QuU4eoFRbgw9ZnA
iFDvGqpZXblQuosDIx3jripRKDeshhJc00GbeMT3I9Fw1XrRbVPFETLV7IpitmPQ
jhOKo3pRxDp+mxpFOZpc9mDEhLb873j9un309Ahor29hLgnZ5b5O9J6YuWaFXkZN
FS9tBvVbypb5rqIPe5GpZzNO88tfqwC/xk9JG3qgpuAtgLM/hh7Dp8fpptKdylTA
LfK5OrH5HZ44uJmXxNbDfr8/XJk2Mv9SLC2UitT6DMk/02XfDAR7r2Dj1MnC6Toc
SV3Vv9w9tRHkc1/iKV7/cZyrd8fEi8ZJhgn8DgAeLM3OYTW1I+BpOnAiR58F9+KO
Zqj2QrY92sJTpXSIq2jswslMguAjkZF5jtmXYjzYSPx8w5xfNkjbLRHZ5vX6iZJC
yJXH7nod6OHyCdyLlQIdOsECEorj/bZ5OAlKlgOZrD79cOLCxkOKgrMaxmHIm/Jf
3t/elL4gVS/fvasSsn2Xdm44lzXCbxo/yDfK2wdIb/1tav5Ls9IHs/nO5t1uC5Pc
zx9YfGRjQeU7fTdnR9In7hVMzj36tgmmaiH7d1zPZU/7iFEczVxbtyVznN3uYrgB
1dLgRRA7LXtzzLpLKLIqsaf7cx9OiUpR4ajgWufPW6c8rOYq+uM3OJ1iHRzo1fD+
m929rPMgoP4=
=wrHF
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [arch/x86/vdso/vdso32-syms.lds] Error 1
    ... if you could execute the following commands and include the output: ... My guess at this point is a bug in nm. ... Please read the FAQ at http://www.tux.org/lkml/ ...
    (Linux-Kernel)
  • [UNIX] Vulnerabilities Found in Scponly
    ... SSHd environment files. ... the user can upload a file with a custom ... This provides the user with a means of running arbitrary commands ... the user could execute arbitrary commands by uploading ...
    (Securiteam)
  • Re: [Full-disclosure] FWD Cisco IOS Remote Command Execution Vulnerability
    ... > Vulnerability Alert Cisco IOS Remote Command Execution ... > 9.4 Last Change Cisco has responded to this issue; ... > prone to an issue that may permit gay people to execute arbitrary ... > commands from a password prompt. ...
    (Full-Disclosure)
  • Dont mind if I grouse on some basic topics?? (very long)
    ... I know as experienced programmers you really don't want to hear people gripe ... and moan about basic, indeed critical topics, but I just have to vent on ... commands within a set sequence. ... doesn't appear to uniformly execute them. ...
    (comp.windows.x)
  • Re: HELP !!! No more task-bare and menu bare
    ... He should though be able to start a new terminal login from his root session and there login as himself and execute the commands to get the bars back. ... So I delete ALL my directories .xxx and ALL my files .xxx from my /home/dir then login on my Ubuntu account and it's the same!!!! ... Initializing nautilus-share extension ...
    (Ubuntu)