IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New (Gotta be 21 to drink. ;-)
http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VJeJDF4AKD

Cutting to the chase, VBScript permits in-place resizing of arrays through the command “redim preserve.” This is where the vulnerability is.

redim preserve arrayname( newsizeinelements )


VBScript.dll contains a runtime evaluation method, CScriptRuntime::Run(VAR *), which farms out the SafeArray redimension task to OleAut32.dll with the SafeArrayRedim(…) function. Essentially, what happens is that fairly early on, SafeArrayRedim() will swap out the old array size (element count) with the resize request. However, there is a code path where, if an error occurs, the size is not reset before returning to the calling function, VBScript!CScriptRuntime::Run().


Convenient functions that change array sizes can obviously be very dangerous unless they're fully locked down.

The article makes it seem that one would have to be pretty sharp to exploit this vulnerability, but it does say:

Hopefully, if you’ve made it this far, you have a pretty good idea how powerful the data attacks facilitated by this bug can be. Again, our disclosure was originally submitted a number of months ago, and while we are not exclusive with the exploitation techniques described, it contributes well toward our goal of describing a significant vulnerability and how it was turned into a viable proof-of-concept attack toward disclosure. We incorporated product coverage for the OLE vulnerability with our network IPS, and so far, the signature we developed has not fired. However, for the attack techniques discussed, I think it is a only matter of time before we see them in the wild.


Oh, and while DLL Hell supposedly was fixed long ago, it came back in 2010 or so. Dr Dobbs. Ah, the joys of being a Winders developer, amirite?

Cheers,
Scott.
New I'm not seeing the problem (DLL hell, not the sploit)
If the version of the library you request isn't installed, you get an error.

Well, duh?

I've had programs on Linux and UNIX whine like tiny babies about not being able to find this or that .so file - same thing, although the general lack of proprietary software on Linux coupled with the repo-based central management does tend to combine to make this pretty much a non-problem.

Either way, even if you wax lyrical to the end user, it's not helpful - "I'm broke and you're not going to like the reason why even if you understand it, which you probably won't" isn't a good place to be.

In practical terms, WinSxS does fix the problem and end-users don't see these sorts of messages. Developers dicking around with test harnesses designed to make a mess of accessing multiple versions of the same thing? Yeah, they'll see it :)

Some users will see it. I'll bet you a pint of your choice that it's the same kinds of users whose operating systems (of whatever flavour) have been going wrong for decades because they either (a) never saw a toolbar or they didn't like or (b) have been "tweaking" their systems for "maximum performance" whilst describing themselves as "power users*".

*Anyone who, with a straight face, describes themselves as a "power user" isn't, in my experience
Expand Edited by pwhysall Dec. 22, 2014, 02:24:57 AM EST
Expand Edited by pwhysall Dec. 22, 2014, 02:26:06 AM EST
New Party pooper. ;-)
     Microsoft fixes 19-year-old Windows bug - (lincoln) - (6)
         Sometimes "innovation" is slow! :) -NT - (a6l6e6x)
         Is that why my daily update was 140Mb today? -NT - (static)
         (At 19: that buggy code is old enough to vote, buy booze and be drafted.) Query: - (Ashton) - (3)
             (Gotta be 21 to drink. ;-) - (Another Scott) - (2)
                 I'm not seeing the problem (DLL hell, not the sploit) - (pwhysall) - (1)
                     Party pooper. ;-) -NT - (Another Scott)

So yeah, this is a thing. One of those things that you come across online that makes you think, "That's enough internet for the day."
91 ms