Re: [Full-disclosure] Nmap NOT VULNERABLE to Windows DLL Hijacking Vulnerability



... my understanding of the issue was not the default library search
path, but rather that people are using SearchPath() or similar to locate
DLLs which they then pass to LoadLibrary() ...

And, people loading DLLs they do not need, for OS version detection.
(Maybe others?)

I still don't see how this is really MSFTs fault. I mean, there's defined APIs for getting the version, theres a fairly clear warning on MSDN for LoadLibrary & SearchPath; isn't this akin to blaming the OS vendor for the app vendor improperly using strcpy?



An "exploit scenario" for nmap: send a ZIP (or somesuch) archive to
the victim, containing a data file and a "hidden" DLL, with message:
Hey, these seem infected with conficker, check with nmap
and the victim using "nmap -iL datafile" from current dir.

Yeah, good luck with that.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/