Thursday, November 6, 2008

Detecting Insecurely Registered Executables (DIRE)

Here is a great tool for developers and something that they should be aware of and incorporated into their SDLC!

Attackers can target systems by exploiting ‘insecurely registered applications’. Foundstone has released a free tool called DIRE, which allows users/system administrators to identify “insecurely registered applications” on their systems.

Overview of insecurely registered executables vulnerability from a Foundstone document on this subject.

"The vulnerability potentially impacts all registered applications whose installation path contains a character. For e.g. “C:\Program Files\Foundstone Free Tools\Hacme Travel 1.0\HacmeTravelServer.exe”. This is because the Win32 process APIs use the character to separate the name of the application being executed from the arguments that will then be passed to this application. If the application is insecurely registered, i.e. the installation path contains one or more characters and the installation path is not enclosed in double quotes while registering with Windows, then Windows will look for “C:\Program.exe” first. If found, Windows launches”C:\Program.exe” and passes “Files\Foundstone Free Tools\Hacme Travel 1.0\HacmeTravelServer.exe” as arguments. If Windows does not find “C:\Program.exe” it then looks for “C:\Program Files\Foundstone.exe” and if found launches it and passes “Free Tools\Hacme Travel 1.0\HacmeTravelServer.exe” as arguments. This process continues and the intended application “C:\Program Files\Foundstone Free Tools\Hacme Travel 1.0\HacmeTravelServer.exe” is launched only if none of the following are found on the system:
  • C:\Program.exe
  • C:\Program Files\Foundstone.exe
  • C:\Program Files\Foundstone Free.exe
  • C:\Program Files\Foundstone Free Tools\Hacme.exe
  • C:\Program Files\Foundstone Free Tools\Hacme Travel.exe
Since in most cases the system drive is “C:\” and the installation directory for most programs is “C:\Program Files\” the rest of this document assumes this is the path - however the concept is applicable irrespective of the system drive or application path."
Posted by Travis Schack at 9:34 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)