Vulnerability in Windows Shell Could Allow Remote Code Execution

Page 3 of 5 Previous  1, 2, 3, 4, 5  Next

View previous topic View next topic Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 25/7/2010, 12:16

aigle wrote:hi ssj100! Nice testing indeed. Can you tect threatfire too? thanks

Welcome aigle - nice to see you here. Hope you're enjoying Linux. Windows with all its flaws and vulnerabilities is more interesting though right haha.

I actually thought about testing Threatfire but decided not to - I felt no one used it anymore. But since you asked, I'll give it a go at some point.

Zero_One wrote:Would be nice to see some of the more mainstream av products tested too

I don't think any of them would block this POC, as it's just a POC and there's nothing to black-list. Kaspersky may be the only exception though, as it has some sort of HIPS component. From memory, Private Firewall does as well, although I remember I wasn't too impressed with it when I tried it last year.

The problem with testing eg. Kaspersky Internet Security Suite is that it's often not easy to find a valid trial for it etc. If someone can link me to a valid trial of the relevant program, I'd be happy to test it against this POC.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by aigle on 26/7/2010, 06:36

Zero_One wrote:
I have a reconfigured dll that pops up a message box instead of sending debug messages, makes it easier to test if anyone is interested (it's harmless of course).
pls send it to me as well. thanks. i sent u a PM too.
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by aigle on 26/7/2010, 06:37

ssj100 wrote:
aigle wrote:hi ssj100! Nice testing indeed. Can you tect threatfire too? thanks

Welcome aigle - nice to see you here. Hope you're enjoying Linux. Windows with all its flaws and vulnerabilities is more interesting though right haha.
thanks. yes i am using ubuntu mainly but windows is a lot of fun.
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 26/7/2010, 07:00

Hey aigle, it seems Threatfire has integrated with Spyware Doctor with Antivirus? I think I'll just test that entire suite:
http://www.threatfire.com/download/

EDIT: the Trial version of the entire suite doesn't appear to have all features available. Anyway, for those wanting to know, the Trial version of Spyware Doctor with Antivirus doesn't do anything against this POC.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by aigle on 26/7/2010, 09:19

Threatfire free version is with out anti virus.
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 26/7/2010, 09:22

Tested the free version and maxed out the settings - completely bypassed. Not surprising really, given I doubt it analyses and blocks every executable (or DLL) file.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by aigle on 27/7/2010, 06:59

Thanks. Sad to see that products claiming for zero day protection fail miserably whenever a REAL real zero day exploit comes in wild.
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by arran on 27/7/2010, 10:44

I'm not surprised either that threat fire failed. behavior blockers such as threat fire only block certain behaviors that their vendor thinks should be blocked, this is why I don't believe in behavior blockers where as with a hips you can configure it to block almost anything.
avatar
arran
Member
Member

Posts : 41
Join date : 2010-05-09

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by burebista on 27/7/2010, 13:54

ssj can you test this tool if it's effective against lnk exploit?
Thanks.
avatar
burebista
New Member
New Member

Posts : 9
Join date : 2010-07-23
Age : 50
Location : Romania

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 16:04

burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.

Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by burebista on 27/7/2010, 16:07

Strange, I have a guy in our forums who told me that it blocks Stuxnet. Sad
avatar
burebista
New Member
New Member

Posts : 9
Join date : 2010-07-23
Age : 50
Location : Romania

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 16:29

G Data has also released its own specific protection mechanism:

http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/1723-g-data-fights-back-windows-sec.html

Here are the results:

G Data LNK Checker:
A: BLOCKED
B: BYPASSED
To be fair, G Data writes:
A double-click on a file that is marked as dangerous still lies in the user’s responsibility
And here's some information as you install the program:

This indeed is true with the POC exploit as shown:


Here are the results for the Sophos tool:
Sophos Windows Shortcut Exploit Protection Tool 1.0:
A: BYPASSED
B: BYPASSED
As I wrote before, the POC exploit appears to go right through it.


Last edited by ssj100 on 27/7/2010, 17:25; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 27/7/2010, 16:35

ssj100 wrote:
burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.

Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.



Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 16:38

Sadeghi85 wrote:
ssj100 wrote:
burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.

Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.



Is that your own test, and did you test it on Windows XP?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 27/7/2010, 16:40

7 32bit

Prevents both methods.

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 16:42

Sadeghi85 wrote:7 32bit

Prevents both methods.

Thanks for the information. However, this thread (mainly) discusses the exploit on Windows XP. I tested the Sophos program on a freshly installed Windows XP, SP3, 32-bit. It appeared to fail miserably.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 27/7/2010, 16:55

More tests show it doesn't protect hard disk drives.


ssj100 wrote:

Thanks for the information. However, this thread (mainly) discusses the exploit on Windows XP.

Why? Almost all windows versions are affected by this.


Last edited by Sadeghi85 on 27/7/2010, 16:57; edited 1 time in total

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by burebista on 27/7/2010, 16:56

ssj100 wrote:It appeared to fail miserably.
Yep, here too. Sad
But a nice surprise from CIS. Very Happy

avatar
burebista
New Member
New Member

Posts : 9
Join date : 2010-07-23
Age : 50
Location : Romania

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 17:08

Sadeghi85 wrote:Why? Almost all windows versions are affected by this.

Sorry I must have given the wrong message. I guess I was just saying that I forgot to re-specify the Windows version I tested it with (hence why we appeared to get conflicting results). From now on, it might be a good idea to do that, to avoid confusion. Cheers mate.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 17:09

burebista wrote:
ssj100 wrote:It appeared to fail miserably.
Yep, here too. Sad

That's with Windows XP right?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 27/7/2010, 17:16

Can you test it with a flash stick SSJ?

Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 17:19

Sadeghi85 wrote:Can you test it with a flash stick SSJ?

Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.

That might have to wait - my default VM's all have USB disabled (since I never use them in VM's).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by burebista on 27/7/2010, 17:21

ssj100 wrote:That's with Windows XP right?
Yep, XP x32 SP3 all updates. It's my machine at work, I'm bored now so I'm doing some tests. Very Happy
avatar
burebista
New Member
New Member

Posts : 9
Join date : 2010-07-23
Age : 50
Location : Romania

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 27/7/2010, 17:22

burebista wrote:
ssj100 wrote:That's with Windows XP right?
Yep, XP x32 SP3 all updates. It's my machine at work, I'm bored now so I'm doing some tests. Very Happy

Join the club haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Ruhe on 27/7/2010, 21:31

Anti-virus vendors offer free LNK protection

(G Data, Sophos)
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sponsored content


Sponsored content


Back to top Go down

Page 3 of 5 Previous  1, 2, 3, 4, 5  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum