It Might Not Be A Vulnerability If…


There’s some things that just aren’t vulnerabilities. If the exploit starts with “First become admin…”, it might not be a vulnerability. Likewise, if the exploit starts with “First, you steal the computer, boot a rogue operating system, and then, BWAHAHAHAHA…”, it might not be a vulnerability.

Some of the things I’ve seen come through MSRC are just really bad. I recall one quite a while back where a “vulnerability” was reported in cmd.exe, where if you could get me to run a command line full of shell code, you could run arbitrary code. That’s really working much too hard. If you can get me to run “net user 3v1lH4x0r K3wlR4dPwd! /add & net localgroup administrators 3v1lH4x0r /add, I’m toast, you win, game over.

This leads me to my personal anti-favorite not a vulnerability – .HLP files are equivalent to executables! Yep, if you put a bunch of shell code into my .hlp file, you’re just really working too hard. I know this because back at ISS, in addition to being dev lead, PM, domain admin, 2nd tier tech support, and head Windows vuln check creator, I also did all or most of the help system for 3 or 4 releases. In old .HLP files, the way you extended them was by compiling up whatever you needed into a DLL, typically making the argument a string, and then inserted it into the help file as a ‘macro’. These can run on load. If you had the old RoboHelp stuff, some of the default help files made with their system there for a while would ship a few extra binaries to make it do cool stuff. We used to have one to figure out where the browser was and launch it so people could find patches and other resources.

If you’re even just a teeny bit evil, it might come to mind that you could make a help file that just used the system DLLs, and called something fun, like ShellExecute, or maybe system(), and it would be a totally legal help file that’s operating by design. So if you’re in the exploit finding business, please don’t waste your time fuzzing .HLP files. It’s really old code, and though you might find something, it won’t get your name in lights, and it’s a terribly inefficient way to hack people. It’s really easier, and likely more productive, to just offer people chocolate in exchange for their passwords. BTW, don’t think they’re limited to just string arguments – if you are clever, you can call nearly any type of API, though pointers are hard.

If you’re on the other side of the problem, it is probably a bad idea to let .hlp files come through e-mail, and don’t run them unless you’d also trust the people who made the executable that they go with. A completely correct and well-formed HLP file is just as dangerous as an executable.


Comments (3)

  1. Mike Dimmick says:

    Does this explain why Windows Help (the viewer for .hlp files) was removed from Windows Vista?

    [dcl] I don’t know. I wasn’t part of that decision. It’s a fundamentally insecure design, and it’s time we retired it. It made sense in 1990…

  2. G. Deutsch says:

    David,

    although imo generally a little bit of thought and applying plain old judgement goes a long

    way . Nevertheless “If the exploit starts with “First become admin…”,  then it is not an

    exploit. Well, not so fast. I think I know where you come from and understand what leads

    to that assessment, I’d only like to object (and be it only because I’ve been wtching anglo

    american court proceedings and boyz, how I grew to love these Objection, sustained,

    overruled staccato).

    Slightly more serious, let me dissect this and please do provide your inights in the matter.

    I start out with the no-brainer that (windows, *nix, Novel Netware)lOS in wider practical

    use come with a god-like admin user – I’m thy root thou shallt not. Meaning there is nothing you could do to  tackle the rogue admin save of firing him.

    The probem lies in the last bit – what if she anticipated your move installed a back door in

    the OS. You all happy to be rid of her, she happliy biding her time. This means that the

    power to install next to impossible to uncover hidden paths into the OS clearly is an exploit.

    That, given our current arsenal of defense, we can’t do awfully much about this, does

    imo niot justify to wave the issue off.

    Was not TCPA and the like meant to cure that. You remeber, then when the RIAA had not yet managed to corrupt 20% of the country and 80% of its legislative bodies? Sometimes it IS great to

    be European.

    But anyway, your views on the issue and your insights would  really interest me

    G. Deutsch

    share what you know, learn what you don’t

    he OS

  3. david_leblanc says:

    This is true – if everyone is admin, it isn’t so hard to get to be admin. This is why we have UAC – to try and get people back to where the security system can help them. Thanks for your comment!