regsvr32.exe commandline overflow

[warl0ck7]

Nice response people, but you too less imaginative pictures this anyone heard of .LNK files, a simple LNK file could create a bind shell through this,a bat file too.

AN OVERFLOW IS AN OVERFLOW AND IT NEEDS TO BE ACKNOWLEDGED AND FIXED.

[Nokia]

Go here http://www.securityfocus.com/archive/82/316073 warlock7 and you will see that when this overflow was first found in MARCH 2003!, it was reported to microsoft and they have deemed it is not a security threat.

Maybe post a little more upto date info next time instead of a 500day exploit?

[SirDice]

I could swear I'd seen a post similar to this one right here on AO.
I had the same kind of discussion then as we do now.
Unfortunatly I couldn't find the first post anymore

Nokia: I think you're confusing a system process in windows with something like a SUID program on *nix. If the overflow existed in an SUID program you can abuse it to get more privileges. But regsvr32 doesn't raise it's privileges so there's nothing to gain. It uses the same privileges as the user invoking the command. If the user has admin privileges the program, and as a consequence the payload of the overflow, has admin privileges. But if the user already has admin rights why the hassle of an overflow, that user already has all the power s/he needs to completely nuke the system.

Nice response people, but you too less imaginative pictures this anyone heard of .LNK files, a simple LNK file could create a bind shell through this,a bat file too.

Yes, you could. But isn't it alot simpler to just bind that shell directly? Why the hassle of an overflow which can and will misfire (BOs tend to depend on OS version, patchlevel, language etc.)? Just look at some of the viruses floating around. Alot of them don't even abuse a bug in the system. People will click on anything. Even if you mark your executable with a huge warning label "Running this program will install a backdoor!", people will still click on it to see what will happen.