NewVersionTester Posted July 31, 2016 Posted July 31, 2016 Hi, please have a look at this vulnerability: https://packetstormsecurity.com/files/137077/AutoIT-3-DLL-Hijacking.html You have not replied for months, so it is already public now. Debugging is fun, because it always begins with a mystery.
JohnOne Posted July 31, 2016 Posted July 31, 2016 I looked. Now what? AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans.
spudw2k Posted August 1, 2016 Posted August 1, 2016 I'm sure this is an issue with a galaxy of software applications; nothing unique to AutoIt. Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF
orbs Posted August 2, 2016 Posted August 2, 2016 16 hours ago, spudw2k said: I'm sure this is an issue with a galaxy of software applications; nothing unique to AutoIt. true; but the fact that everyone's a fool doesn't mean you should be one too. when you run your AutoIt compiled software in production environment, where security is an issue (especially when you have a pedant CISSO on your back), this issue requires at least minor attention. luckily, if you develop a software with AutoIt and deploy it, you can mitigate the issue quite easily - even if only in a formal manner - like this: regarding compiled AutoIt scripts: if they are part of an installed program (i.e. they reside in a protected folder, like Program Files) you need do nothing. if designed to run as portable, just issue a warning in your website/documentation/EULA or wherever users are bound to see it: "do not launch app.exe directly from the download location; instead, create a new folder, copy or move app.exe to that folder. and launch it from there." as for the AutoIt & SciTE installers - similar notice can be placed on the download page. now, all these are formal means of mitigation; they work by putting the responsibility of security in the users' hands. surprisingly, this is actually acceptable by common security norms. however, if the AutoIt dev team wishes to provide a technical solution, it should not be that hard - make autoit3.exe load DLL's in non-default path order, i.e. first use the ones located in Windows installation path, and than use the ones in the exe path. this link has relevant info. anyways, as for the AutoIt & SciTE installers - i think the mentioned notice is sufficient. you install AutoIt very rarely (compared to running a script, native or compiled), so i don't think messing with it is worthwhile. Signature - my forum contributions: Spoiler UDF: LFN - support for long file names (over 260 characters) InputImpose - impose valid characters in an input control TimeConvert - convert UTC to/from local time and/or reformat the string representation AMF - accept multiple files from Windows Explorer context menu DateDuration - literal description of the difference between given dates WinPose - simultaneous fluent move and resize Apps: Touch - set the "modified" timestamp of a file to current time Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes SPDiff - Single-Pane Text Diff Magic Math - a math puzzle Demos: Title Bar Menu - click the window title to pop-up a menu
spudw2k Posted August 2, 2016 Posted August 2, 2016 3 hours ago, orbs said: now, all these are formal means of mitigation; they work by putting the responsibility of security in the users' hands. surprisingly, this is actually acceptable by common security norms. Of course it is. Certainly a company must take measures when are where they can without inhibiting the user, but the best way to protect your users is to educate them how to protect themselves. Now a disclaimer that no one reads when they login to a system...that's not what I'm talking about. That's just for legal purposes; i'm talking about actual user awareness training. Much in the same way, a disclaimer on a website only has the value of CYA measure for the software dev. Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now