[42240] in bugtraq
Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust
daemon@ATHENA.MIT.EDU (H D Moore)
Mon Jan 16 20:36:35 2006
From: H D Moore <sflist@digitaloffense.net>
To: bugtraq@securityfocus.com
Date: Mon, 16 Jan 2006 14:52:21 -0600
Cc: news@securiteam.com
In-Reply-To: <1192877198.20060116214705@Zoller.lu>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200601161452.21782.sflist@digitaloffense.net>
Any chance you contacted Wehnus about it? The "hot fix" is just to open
regedit, browse to this key, and place the path inside double quotes.
Minor problem, but I am sure Matt would have appreciated an email first.
-HD
On Monday 16 January 2006 14:47, Thierry Zoller wrote:
> Dear List,
>
> Small blurp I came around; when Wehntrust creates the autostart key
> it forgets to correctly quote the string in the key and thus may
> trigger an autostart of c:\program.bat|exe|com up-on reboot... [2]
>
> Quoting [1] :
> ^^^^^^^^^^^^
> -----------------------------------------------------------------------
>--- c:\program files\sub dir\program.exe,
>
> In this case, the system will successively expand the string when
> interpreting the file path, until a module is encountered to execute.
> The string used in the above example would be interpreted as follows:
>
> c:\program.exe
> c:\program files\sub.exe
> c:\program files\sub dir\program.exe
> -----------------------------------------------------------------------
>------
>
> [1]
> http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789
>.html [2] Only a real issue in Windows 2000, WinXP restricted
> users don't have the right to write to c:\
> [3] http://secdev.zoller.lu
> [4] http://www.wehnus.com/
