Surfeit and Blasé Security
Original release date: August 13, 2019Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and …
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s August 2019 Security Update Summary and Deployment Information and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: August 13, 2019Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.
Th…
Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: August 13, 2019Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructur…
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:
This product is provided subject to this Notification and this Privacy & Use policy.
In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by […]
The post The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? appeared first on McAfee Blogs.
In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by just basic assumptions on case-sensitiveness during development.
In this 3rd post we focus on the “confusion” technique, where even though the technique is already known (Medium / Tyranidslair), the ramifications of these effects have not all been analyzed yet.
Going back to normalization, some Win32 API’s remove trailing whitespaces (and other special characters) from the path name.
As mentioned in the last publication, the normalization can, in some cases, provide the wrong result.
The common scenario that could be used as “bait” for the user to click, and even to hide what is seen, is to create a directory with the same name ending with a whitespace.
A very trivial example “That’s not my notepad…..”:
Open task manager, Right click on the “notepad” with putty icon -> Properties. (The properties were read from the “non-trailing-space” binary)
Open Explorer on “C:\Windows “; it will generate the illusion that the original files (from the folder without trailing whitespace) are there. This will happen for any folder/file not present in the whitespace version.
Screenshots opening a McAfee Agent Folder:
Both folders opened; note that the whitespace version does not have any .dll or additional .exe but Explorer renders the missing files from the “normalized – non-whitespace directory”.
Trying to open the dll…
Getting properties from task manager will fetch those from the normalized folder path, that means you can be tricked to think it is a trusted app.
Watch the video recorded by our expert Cedric Cochin illustrating this technique:
Related Links / Blogs:
https://tyranidslair.blogspot.com/2019/02/ntfs-case-sensitivity-on-windows.html
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
The post The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? appeared first on McAfee Blogs.