Discussion:
Useless tidbit
(too old to reply)
pretty vacant
2005-05-09 20:14:02 UTC
Permalink
Interesting tidbit. The old c:\program.exe trick prevents MS Anti-Spyware from loading at login. :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
pretty vacant
2005-05-10 13:52:55 UTC
Permalink
You may or may not know that Windows applications often use the registry to
store information about where to find applications within their file
system. Due to the way in which Windows handles filenames, situations
where this information is stored in an unquoted
fashion, can leave the application open to an attack commonly referred to
as the "Program.exe trick".

As you know, it's quite common to have files and/or directories with
spaces in the name (e.g. C:\Program Files). Windows is unique in that it
essentially doesn't exactly know what it's doing if the command isn't
quoted and contains spaces. For example look at the following command:

c:\program files\windows media player\wmplayer

If unquoted, Windows tries the following:

1st try
Execute: c:\program.exe
Arg1: files\windows
Arg2: media
Arg3: player\wmplayer

2nd try
Execute: "c:\program files\windows.exe"
Arg1: media
Arg2: player\wmplayer

3rd try
Execute: "c:\program files\windows media"
Arg1: player\wmplayer

4th try
Execute: "c:\program files\windows media player\mwplayer.exe"

Well in the case of MS AntiSpyware (and hundreds of other applications),
AntiSpyware, it starts up by executing "AntiSpywareMain.exe" which in turn
displays a nice splash screen, performs some other misc activities before
calling the gsasDtServ.exe. The problem is that the execution of
gsasDtServ.exe is unquoted, while the app tries to execute c:\program
files\microsoft antispyware\gsasDtServ.exe, if c:\program.exe exists, it
will be executed instead and MS Antispyware never actually gets loaded.

With XPSP2, the OS will actually warn you about files like c:\Program.bat,
or c:\Program.exe, but not of c:\program files\internet.exe.

Sadly, this isn't uncommon and when I tested this on my system the first
time, 7 applications were executed over a 48 hour period. Try it for
yourself. My Program.exe logs the executing user and command args to
c:\program.log.
It appears this was a "trick" that I missed, can you provide more info?
thanks.
Post by pretty vacant
Interesting tidbit. The old c:\program.exe trick prevents MS Anti-Spyware from loading at login. :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...