[ros-dev] [ros-diffs] [cfinck] 33571: Check if the GetWindowsDirectory call succeeded and use PathAppend to prevent a buffer overflow, when WinDir + "\regedit.exe" > MAX_PATH

Filip Navara xnavara at volny.cz
Tue May 20 11:08:11 CEST 2008 

I will leave the issue of whether GetWindowsDirectory should be used
or not aside (even though I believe it's good to use it), but in all
honesty I couldn't ignore Alex's comment. The suggestion of fallback
feels to me like if you had an internet banking account and you said
"oh, well, if HTTPS doesn't work, let's just use HTTP, the system is
probably already f*cked up enough that security doesn't matter
anymore". This is exactly the type of attitude that introduces
security holes into programs... Why would I go a long way to write a
complicated code to avoid executable redirection if there's code
elsewhere that doesn't follow the rules? Remember, the chain is only
as strong as it's weakest link.

F.

On Mon, May 19, 2008 at 10:11 AM, Alex Ionescu <ionucu at videotron.ca> wrote:
> If GetWindowsDirectory fails, you have much worse issues to worry
> about than executable redirection.
>
> Also note that regedt32.exe is usually in the system32 directory, so
> how is this a security/redirection issue exactly?
>
> This implies someone would have to:
>
> 1) Give you a malware regedit.exe in directory foo
> 2) Give you the legitimate regedt32.exe in directory foo
> 3) Somehow convince you to:
> 3.1) Use regedt32 instead of regedit (few people even know this tool)
> 3.2) Launch regedt32 from this "foo" directory instead of using
> start/run regedt32
>
> The issue you're looking for just doesn't exist.
>
> 2008/5/19 FENG Yu Ning <fengyuning1984 at gmail.com>:
>> On Sun, May 18, 2008 at 7:28 PM, Alex Ionescu <ionucu at videotron.ca> wrote:
>>>
>>> Last nitpick: if you can't get the windows directory, just
>>> ShellExecute "regedit.exe" directly, as the code originally did --
>>> this is the behavior on Windows, fyi.
>>>
>>
>> Though it is the behavior on Windows, it is a bad thing, IMHO. There are
>> already too many little viruses who pretend to be a system executable, say,
>> explorer.exe, and they are placed in a (sub)directory of the windows
>> directory to be shell executed. If we can't get the windows direcoty, we
>> should let the user know, and give them the chance to fix it, instead of
>> blindly execute anything.
>> I used to suffer from those, and they were really annoying. Please consider
>> being different from Windows in this and similar issues.
>> MHO.
>>
>> _______________________________________________
>> Ros-dev mailing list
>> Ros-dev at reactos.org
>> http://www.reactos.org/mailman/listinfo/ros-dev
>>
>>
>
>
>
> --
> Best regards,
> Alex Ionescu
>
>
>
> --
> Best regards,
> Alex Ionescu
> _______________________________________________
> Ros-dev mailing list
> Ros-dev at reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
>

More information about the Ros-dev mailing list