- From: Irene Vatton <irene.vatton@inrialpes.fr>
- Date: Thu, 3 Jun 2004 17:40:11 +0200
- To: Brant Gurganus <brantgurganus2001@cherokeescouting.org>
- Cc: www-amaya@w3.org
> Potential security issue is at end. > > I ran the latest Windows binary distribution of Amaya while it was > monitored by Microsoft's Application Verifier. I did not actually do > anything; I just started it and exited. It was also still clean; that > is, it had not been run before. Here are issues that Microsoft's > Application Verifier (free) pointed out: > > Amaya gets the user's profile folder without using the correct API which > could lead to future compatibility issues: > Designed for Windows Logo Requirement 3.2. The application wrote > application or user information to an unapproved file location. Use the > SHGetFolderPath API to obtain the My Documents, Application Data, Local > Application Data, or Common Application Data directories. These > directories are appropriate locations for files created by an application. This SHGetFolderPath API is not easy to use for a developper (.h file not available). But after a lot of work and experimentation, I finally found how to get the profiles directory. > Amaya access the Temp folder without the appropriate API: > The application used a Windows Temp path that was not obtained using a > method approved by the Designed for Windows Logo Program. Use the > GetTempPath API to locate appropriate storage for temporary files. I didn't work on this API yet. It could help if you give me the name of the dll we have to load and how to find or generate the .h file. > The following parameters from the following function calls suffered from > this: > lpFileName of GetFileAttributesA > lpPathName of CreateDirectoryA > lpFileName of FindFirstFileA > lpFileName of CreateFileA > > I then later ran Amaya and did more stuff and found the following > additional issues: > **************************************************************** > Security Issue: > CreateProcess is called in printing with the following issue: > The lpApplicationName argument is NULL, lpCommandLine has spaces, and > the exe name is not in quotes. The print process is done by a dll. Does the issue concern the loading of the print dll itself or how print accedes the printer? > Because of a flaw in the CreateProcess API, this can cause issues with > filenames that have spaces and are not quoted. Arbitrary executables > can be executed. This is especially severe for Amaya since its code is > open source so you would know what to name the malicious executable. > **************************************************************** Irene. ----- Irène Vatton INRIA Rhône-Alpes INRIA ZIRST e-mail: Irene.Vatton@inria.fr 655 avenue de l'Europe Tel.: +33 4 76 61 53 61 Montbonnot Fax: +33 4 76 61 52 07 38334 Saint Ismier Cedex - France
Received on Thursday, 3 June 2004 11:40:38 UTC