When you Trust WehnTrust - Priviledge Escalation
Introduction : WehnTrust is a Host-based
Intrusion Prevention System (HIPS) that provides secure buffer
overflow exploitation countermeasures. While other Windows based intrusion
prevention systems are only capable of working with a pre-defined group
of applications, WehnTrust's technology allows it to work with virtually
all software products. Perhaps best of all, WehnTrust is currently free
for home use.
Wehntrus creates this autostart key
:
it forgets to correctly quote the autostart key and thus may start c:\program.bat|exe|com on reboot... [2] Note how the VMWare tools do the same.
--------------------------------------------------------------------------
c:\program files\sub dir\program.exe,
In this case, the system will successively expand the string when interpreting the file path, until a module is encountered to execute. The string used in the above example would be interpreted as follows:
c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe
-----------------------------------------------------------------------------
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Yes I know, only a real issue in Windows 2000, WinXP restricted users don't
have the right to write to c:\
Disclaimer
The views and opinion expressed herein are my personal views and are not intended to reflect the views of my employer or any other entity.