[17412] in bugtraq
Re: Windows (me) printer sharing vulnerability
daemon@ATHENA.MIT.EDU (Slawek)
Mon Oct 30 02:19:31 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <009701c0405f$0ae7ad40$0201a8c0@telsatgp.com.pl>
Date: Fri, 27 Oct 2000 23:44:11 +0200
Reply-To: Slawek <sgp@TELSATGP.COM.PL>
From: Slawek <sgp@TELSATGP.COM.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
oops, sorry for answering to my own post
Friday, October 27, 2000 2:15 PM +0200, Slawek wrote:
> Every VxD placed in SYSTEM\vmm32 is automatically loaded and executed on
> system bootup.
It's not the way I've said here. I just remembered bootstrap VxD loader
cound be abused and it could, in fact, but not that way.
Every VxD that is mentioned in the registry (in some place, don't care where
for now) is loaded at bootstrap, but some of them are placed in VMM32.VxD
If a VxD is present is SYSTEM\vmm32 and in VMM32.VxD then system loads it
from SYSTEM\vmm32
It is not marked in the registry if the file should be loaded from a
separate file or from the VMM32.VxD
So we just need to make a copy of one of the system's VxDs from VMM32.VxD
and place it's trojaned version in SYSTEM\vmm32
Now I hope I'm correct,
Slawek
