Vulnerability in Windows Shell Could Allow Remote Code Execution
+11
DarthTrader
languy99
burebista
aigle
Buster_BSA
arran
Sadeghi85
Zero_One
doskey
Ruhe
ssj100
15 posters
Page 3 of 5
Page 3 of 5 • 1, 2, 3, 4, 5
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
aigle wrote:hi ssj100! Nice testing indeed. Can you tect threatfire too? thanks
Welcome aigle - nice to see you here. Hope you're enjoying Linux. Windows with all its flaws and vulnerabilities is more interesting though right haha.
I actually thought about testing Threatfire but decided not to - I felt no one used it anymore. But since you asked, I'll give it a go at some point.
Zero_One wrote:Would be nice to see some of the more mainstream av products tested too
I don't think any of them would block this POC, as it's just a POC and there's nothing to black-list. Kaspersky may be the only exception though, as it has some sort of HIPS component. From memory, Private Firewall does as well, although I remember I wasn't too impressed with it when I tried it last year.
The problem with testing eg. Kaspersky Internet Security Suite is that it's often not easy to find a valid trial for it etc. If someone can link me to a valid trial of the relevant program, I'd be happy to test it against this POC.
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
pls send it to me as well. thanks. i sent u a PM too.Zero_One wrote:
I have a reconfigured dll that pops up a message box instead of sending debug messages, makes it easier to test if anyone is interested (it's harmless of course).
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
thanks. yes i am using ubuntu mainly but windows is a lot of fun.ssj100 wrote:aigle wrote:hi ssj100! Nice testing indeed. Can you tect threatfire too? thanks
Welcome aigle - nice to see you here. Hope you're enjoying Linux. Windows with all its flaws and vulnerabilities is more interesting though right haha.
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Hey aigle, it seems Threatfire has integrated with Spyware Doctor with Antivirus? I think I'll just test that entire suite:
http://www.threatfire.com/download/
EDIT: the Trial version of the entire suite doesn't appear to have all features available. Anyway, for those wanting to know, the Trial version of Spyware Doctor with Antivirus doesn't do anything against this POC.
http://www.threatfire.com/download/
EDIT: the Trial version of the entire suite doesn't appear to have all features available. Anyway, for those wanting to know, the Trial version of Spyware Doctor with Antivirus doesn't do anything against this POC.
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Threatfire free version is with out anti virus.
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Tested the free version and maxed out the settings - completely bypassed. Not surprising really, given I doubt it analyses and blocks every executable (or DLL) file.
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Thanks. Sad to see that products claiming for zero day protection fail miserably whenever a REAL real zero day exploit comes in wild.
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
I'm not surprised either that threat fire failed. behavior blockers such as threat fire only block certain behaviors that their vendor thinks should be blocked, this is why I don't believe in behavior blockers where as with a hips you can configure it to block almost anything.
arran- Member
- Posts : 41
Join date : 2010-05-09
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
ssj can you test this tool if it's effective against lnk exploit?
Thanks.
Thanks.
burebista- New Member
- Posts : 9
Join date : 2010-07-23
Age : 57
Location : Romania
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.
Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Strange, I have a guy in our forums who told me that it blocks Stuxnet.
burebista- New Member
- Posts : 9
Join date : 2010-07-23
Age : 57
Location : Romania
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
G Data has also released its own specific protection mechanism:
http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/1723-g-data-fights-back-windows-sec.html
Here are the results:
G Data LNK Checker:
A: BLOCKED
B: BYPASSED
To be fair, G Data writes:
This indeed is true with the POC exploit as shown:
Here are the results for the Sophos tool:
Sophos Windows Shortcut Exploit Protection Tool 1.0:
A: BYPASSED
B: BYPASSED
As I wrote before, the POC exploit appears to go right through it.
http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/1723-g-data-fights-back-windows-sec.html
Here are the results:
G Data LNK Checker:
A: BLOCKED
B: BYPASSED
To be fair, G Data writes:
And here's some information as you install the program:A double-click on a file that is marked as dangerous still lies in the user’s responsibility
This indeed is true with the POC exploit as shown:
Here are the results for the Sophos tool:
Sophos Windows Shortcut Exploit Protection Tool 1.0:
A: BYPASSED
B: BYPASSED
As I wrote before, the POC exploit appears to go right through it.
Last edited by ssj100 on 27/7/2010, 17:25; edited 1 time in total
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
ssj100 wrote:burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.
Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.
Sadeghi85- Member
- Posts : 66
Join date : 2010-07-22
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Sadeghi85 wrote:ssj100 wrote:burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.
Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.
Is that your own test, and did you test it on Windows XP?
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
7 32bit
Prevents both methods.
Prevents both methods.
Sadeghi85- Member
- Posts : 66
Join date : 2010-07-22
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Sadeghi85 wrote:7 32bit
Prevents both methods.
Thanks for the information. However, this thread (mainly) discusses the exploit on Windows XP. I tested the Sophos program on a freshly installed Windows XP, SP3, 32-bit. It appeared to fail miserably.
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
More tests show it doesn't protect hard disk drives.
Why? Almost all windows versions are affected by this.
ssj100 wrote:
Thanks for the information. However, this thread (mainly) discusses the exploit on Windows XP.
Why? Almost all windows versions are affected by this.
Last edited by Sadeghi85 on 27/7/2010, 16:57; edited 1 time in total
Sadeghi85- Member
- Posts : 66
Join date : 2010-07-22
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Yep, here too.ssj100 wrote:It appeared to fail miserably.
But a nice surprise from CIS.
burebista- New Member
- Posts : 9
Join date : 2010-07-23
Age : 57
Location : Romania
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Sadeghi85 wrote:Why? Almost all windows versions are affected by this.
Sorry I must have given the wrong message. I guess I was just saying that I forgot to re-specify the Windows version I tested it with (hence why we appeared to get conflicting results). From now on, it might be a good idea to do that, to avoid confusion. Cheers mate.
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
burebista wrote:Yep, here too.ssj100 wrote:It appeared to fail miserably.
That's with Windows XP right?
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Can you test it with a flash stick SSJ?
Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.
Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.
Sadeghi85- Member
- Posts : 66
Join date : 2010-07-22
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Sadeghi85 wrote:Can you test it with a flash stick SSJ?
Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.
That might have to wait - my default VM's all have USB disabled (since I never use them in VM's).
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
Yep, XP x32 SP3 all updates. It's my machine at work, I'm bored now so I'm doing some tests.ssj100 wrote:That's with Windows XP right?
burebista- New Member
- Posts : 9
Join date : 2010-07-23
Age : 57
Location : Romania
Re: Vulnerability in Windows Shell Could Allow Remote Code Execution
burebista wrote:Yep, XP x32 SP3 all updates. It's my machine at work, I'm bored now so I'm doing some tests.ssj100 wrote:That's with Windows XP right?
Join the club haha.
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Page 3 of 5 • 1, 2, 3, 4, 5
Similar topics
» Vulnerability in TCP/IP Could Allow Remote Code Execution
» Windows Vista/Windows 7 + Sandboxie + Integrity Levels
» LNK vulnerability POC re-test
» Will Windows XP eventually become the most "secure" usable Windows OS?
» New critical vulnerability in VLC Media Player
» Windows Vista/Windows 7 + Sandboxie + Integrity Levels
» LNK vulnerability POC re-test
» Will Windows XP eventually become the most "secure" usable Windows OS?
» New critical vulnerability in VLC Media Player
Page 3 of 5
Permissions in this forum:
You cannot reply to topics in this forum