Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive

... Don't run applications from untrusted locations ...

You got it wrong. Only trusted applications are run. - The attacker
prepares a WORD.DOC (and a RICHED20.DLL) file in some place. The
victim clicks on the WORD.DOC file, using his own installed MSWord.

Aaah, well if that is the issue, it seems to me that the vulnerability here is
that the application in question (MSWord) has it's CWD set to the directory of
the file that it is opening through the explorer shell.

It should chdir() to it's own parent directory before doing anything interesting
that depends on CWD. (i.e. loading DLLs or executing "./")

It's general good programming practice to be mindful of your CWD, I know
that personally; a call to chdir() is almost always at the top of my script.

So, I take back what I said about it being a non-issue, it IS in fact
a vulnerability in the application.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: FileUtils.chdir thread safety
    ... > parent's cwd afterward). ... What does inheriting change about my argument? ... thread-local chdir sort of breaks some traditional semantics. ...
  • Re: @INC paths on an IIS server
    ... I'm becoming a BIG FAN of the FindBin solution ... especially in the case of CGI code, ... the chdir into the directory where the code is. ...
  • Re: What is wrong with this file copy script
    ... # This fails for the second directory since it chdir to './dir2' when it's in './dir1' Try it from the command line: ... my $cwd = cwd; ... chdir $cwd; # Change back at end of the loop. ... -- hpdb thisdir=./dir2 has files ...
  • Re: FileUtils.chdir thread safety
    ... I had a vague idea that there could be an option that controls if cwd ... the best fakery we can do to make File APIs have a per-thread CWD would ... Actually I suppose there is a way; have all process launches acquire a ... process quickly and then chdir back, ...