Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Jun 2018 15:18:44 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <oss-security@...ts.openwall.com>
Subject: Re: CVE request: rufus

> On 2018.05.31 19:04, Stefan Kanthak wrote:
>> As always, your poor reading skills perfectly match your poor programming
>> skills.
> 
> Ad hominem.

Wrong. The plain and simple truth.

>> "We" wait until the requested CVEs are assigned for both well-known
>> vulnerabilities.
> 
> Again, what happened to responsible disclosure?

What happened with YOUR responsibility to protect YOUR user's from YOUR
faults.

>> DLL spoofing was VERY well known long before 2016, and it is neither restricted
>> to the CWD nor to runtime linking:
> 
> You are deliberately misinterpreting what I said.

Wrong again:

| Also, FYI, we did apply mitigation for #1 (DLL sideloading attacks) very 
| shortly after the time it became publicized:

Read again what you wrote, and especially notice the plural inside the
parentheses.
In short: you LIED!

> In 2016 there was a new DLL side loading vulnerability that made the 
> rounds, and that we mitigated against.

Wrong again: ALL DLL spoofing vulnerabilities are known since more than
20 years.
To write programs that still show it is a "bloody beginner's error".

[...]

>> Until then, to protect your users, remove Rufus from the net!
> 
> I will only say this once: Unless you stop acting like an asshole,

Thanks.

Your incompetence and extraordinary manners deserve audience.

Let's start with the "blind command injection" of "rufus.com\r\n" your
bug-riddled software attempts, and how it fails, MISERABLY!

JFTR: see <https://cwe.mitre.org/data/definitions/377.html>
      and <https://cwe.mitre.org/data/definitions/379.html>
      plus <https://capec.mitre.org/data/definitions/29.html>

1. open a command prompt, then run the following command lines:

   SET NoDefaultCurrentDirectoryInExePath=*
   <path>\rufus-3.0.exe

   OUCH!

   JFTR: this DOCUMENTED setting was introduced with Windows Vista,
         more than 12 years ago: it's REALLY time for your homework,
         kid!
         <https://msdn.microsoft.com/en-us/library/ms684269.aspx>

2. open a command prompt, CD into a directory without "write file"
   permission, for example a CD-ROM drive, and run the following
   command line:

   <path>\rufus-3.0.exe

   OUCH!

3. open a command prompt, CD into a directory without "execute file"
   permission, i.e. where your security conscious administrator
   added the NTFS ACE "(D;OIIO;WP;;;WD)", and run the following
   command line:

   <path>\rufus-3.0.exe

   OUCH!

4. ask your security conscious administrator to set the well-known
   and well-documented policies (introduced with Windows Vista, more
   than 12 years ago: <https://support.microsoft.com/en-us/kb/979621>,
   <https://msdn.microsoft.com/en-us/library/bb530324.aspx>)

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices]
   "Deny_All"=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}]
   "Deny_Execute"=dword:00000001
   "Deny_Write"=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53F5630A-B6BF-11D0-94F2-00A0C91EFB8B}]
   "Deny_Execute"=dword:00000001
   "Deny_Write"=dword:00000001


   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}]
   "Deny_Execute"=dword:00000001
   "Deny_Write"=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53F56311-B6BF-11D0-94F2-00A0C91EFB8B}]
   "Deny_Execute"=dword:00000001
   "Deny_Write"=dword:00000001

   then open a command prompt, CD into a directory on a removable
   volume, and run the following command line:

   <path>\rufus-3.0.exe

   OUCH!

5. open a command prompt, run the following command line, and
   immediately switch the focus to an editor window (for example):

   <path>\rufus-3.0.exe

   OUCH!

That's what I call "bloody beginner's error".
Or just EPIC FAIL!

stay tuned
Stefan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.