[16822] in bugtraq
Re: Double clicking on MS Office documents from Windows Explorer
daemon@ATHENA.MIT.EDU (Fernando Trias)
Tue Sep 19 14:22:01 2000
Errors-To: <fernando@pedestalsoftware.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.2.0.58.20000918174230.03420e60@127.0.0.1>
Date: Mon, 18 Sep 2000 18:05:25 -0400
Reply-To: Fernando Trias <fernando@PEDESTALSOFTWARE.COM>
From: Fernando Trias <fernando@PEDESTALSOFTWARE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39C65C4A.9AD70914@gmx.net>
>1. The directory that contains the module for the current process.
>2. The current directory.
>3. The Windows system directory. The GetSystemDirectory function
>retrieves the path of this directory.
>4. The Windows directory. The GetWindowsDirectory function retrieves the
>path of this directory.
>5. The directories listed in the PATH environment variable.
In addition, if you use LoadLibaryEx you can specify a path for the module
you want to load.
>Assuming this, the following conditions must be met to reproduce the
>problem
>discovered by Georgi Guninski:
>
>1. The DLL you want to fake must not have been loaded into memory by any
>program yet.
>Windows will use the copy already in memory in that case.
>2. The targeted program (e.g. MS Word) must not have the DLL in the same
>directory as
>it's executable.
There seems to be an added complication. Sometimes, NT/2000 always loads
the torjan DLL (95/98 not tested). I've been playing with wordpad by
executing wri files. Even if wordpad is loaded, it will always execute the
trojan DLL if it is riched32.dll, imm32.dll or gapi32.dll. Other DLLs seem
to behave as you indicated. I don't know why this is.
----------------------------
Fernando Trias Pedestal Software, LLC
fernando@pedestalsoftware.com Phone: +1 (508) 520-8960
http://www.pedestalsoftware.com Fax: +1 (508) 520-8638
