{"id":94505,"date":"2016-10-13T07:00:00","date_gmt":"2016-10-13T21:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=94505"},"modified":"2019-03-13T10:32:31","modified_gmt":"2019-03-13T17:32:31","slug":"20161013-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20161013-00\/?p=94505","title":{"rendered":"Dubious security vulnerability: Attacking the application directory in order to fool yourself?"},"content":{"rendered":"

A security vulnerability report arrived that went something like this: <\/p>\n

\n

There is a vulnerability in the XYZ.EXE<\/code> program. If you place a hacked copy of the file CABINET.DLL<\/code> in the same directory as XYZ.EXE<\/code>, then when the user runs the XYZ.EXE<\/code> program, it loads the hacked CABINET.DLL<\/code> instead of the real one. When XYZ.EXE<\/code> prompts for elevation, the user will allow it, and now the rogue CABINET.DLL<\/code> is running code as administrator. <\/p><\/blockquote>\n

Um, okay. <\/p>\n

First of all, this is an application directory attack, and the application directory is considered a trusted location<\/a>. If you let somebody write to your application directory, then you are giving them control over what the application does. So don’t do that<\/a>. <\/p>\n

This particular variation tries to disguise the matter by throwing in an elevation prompt, but the underlying issue is the same. Let’s look at it another way: Who is the attacker, and who is the victim? <\/p>\n

The attacker is the user who creates a trap in the application directory. The victim is the person who runs the application and gets caught in the trap. But how do you get the victim to wander into the yucky hot tub<\/a>? Whatever technique you used to get them to run a program from your hot tub, you can use that technique to get them to run a rogue app directly; no need for fancy application directory attacks. <\/p>\n

The other possibility of a victim is the user himself, who runs the XYZ.EXE<\/code> application, and discovers that he just fell into his own trap. It’s not really considered elevation if you manage to fool yourself. <\/p>\n","protected":false},"excerpt":{"rendered":"

Look over there. Ha ha made you look.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-94505","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"

Look over there. Ha ha made you look.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/94505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=94505"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/94505\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=94505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=94505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=94505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}