Comments on: The Program.exe Problem

By: Windows Security News Monitor » The Program.exe Problem

Windows Security News Monitor » The Program.exe Problem — Sat, 10 Mar 2007 01:07:43 +0000

[...] Read more here: Windows Security News [...]

By: MB’s Windows Security » Blog Archive » How to Guess an Admin’s Password Without Them Knowing You Are Trying

Fri, 02 Mar 2007 04:31:15 +0000

[...] Keep in mind, however, that the local system might also log these if the local policy enables failed login auditing. If you know no one well ever check these logs you should probably be okay. If you have local admin access you can easily clear your own event logs. If you don’t have admin access on your own system, you have a bit more work to do to gain that. Perhaps you could try the program.exe trick. [...]

By: denial

denial — Tue, 20 Feb 2007 12:01:58 +0000

Reed Arvin also covered this issue:

http://reedarvin.blogspot.com/2005/03/windows-privilege-escalation-using.html

As already mentioned, this goes back to the days of Windows NT… Really amazing.

By: Crusty

Crusty — Sun, 18 Feb 2007 21:05:24 +0000

funny how these generic “windows is so unsecure” noob comments pop up in any discussion. “im gonna switch to a better os anyway”… lets see how half the companies relying on office and the embedded VBA tools switch to other oses. face it ppl, windows may be unsecure but its not replaceable, gates may be a dummfukk programmer, but hes a marketing genious, and thats what beats linux.

there is no discussion linux is the better os, but the point is, windows is so deeply routed into some work environments that changing to linux is not even near being an option.

@chris: yea true, but sadly the “documents and settings” folder containes spaces in virtually any localization.

as posted before often, make sure to give the right file system permission and you can harden windows systems pretty neat also. ofc no match for linux, but its a start

By: KpyM

KpyM — Sun, 18 Feb 2007 18:55:01 +0000

@Moritz:
Saying that the fact that you need sufficient permissions to do something is only secondary, is plain bul****.

Having sufficient permissions(this is only secondary fact for you) I would just use Administrative Tools and never bother to deal with this Program.exe “exploit”.

Besides the executables search order is well documented in MSDN.

By: Chris

Chris — Sun, 18 Feb 2007 15:30:02 +0000

It’s quite retarded what kind of hacks Microsoft uses to provide backwards compatibility with MS-DOS. I don’t think this is really exploitable though because if the root directory is world-writable you have a problem anyway. Also note that these path are localized in Windows, so it’s only “Program Files” in English versions.

By: (+#)

(+#) — Sun, 18 Feb 2007 07:30:20 +0000

Thank God I use Mac OS X (Tiger) on an Apple

By: chris

chris — Sun, 18 Feb 2007 03:23:33 +0000

I never knew windows used such an appalling hack to locate executables. Adding a registry check for ‘program.exe’ is totally inadequate, as this problem exists for every occurance of a space in any directory name

Quite frankly, I’m glad I don’t use it.

By: MB’s Windows Security » Blog Archive » More on Program.exe

MB’s Windows Security » Blog Archive » More on Program.exe — Sun, 18 Feb 2007 00:57:40 +0000

[...] I thought I would add a bit more to my original post to clarify the problem. Half of the problem is the way Windows searches paths, and the other half is software developers who don’t quote their paths in the Registry or when calling CreateProcess. There are no built-in Windows services that have this problem and this issue has been documented for over a decade. [...]

By: Alex

Alex — Sat, 17 Feb 2007 23:19:46 +0000

Wow. I knew Windows was bad, but the fact that problems like this one have persisted for OVER TEN YEARS is rather amazing to me.

The real solution is to switch to a better OS. Windows will never be anywhere near secure enough.

By: Moritz

Moritz — Sat, 17 Feb 2007 22:49:46 +0000

@KpyM: The problem is that windows is not rigorous about which pathes have to be escaped. The fact that you need sufficient permissions to exploit the hole is only secondary.

By: Grogan

Grogan — Sat, 17 Feb 2007 22:45:11 +0000

Write access is disabled for regular users in the root directory. Administrators have to explicitly give their consent to any modification of this directory, by confirming a UAC prompt.

This means that, in Vista at least, this is a non-issue.

By: Simon Singh

Simon Singh — Sat, 17 Feb 2007 22:19:04 +0000

thanks this information is good.

By: KpyM

KpyM — Sat, 17 Feb 2007 22:00:44 +0000

The key is in “Anyone with the permissions to create a file in the root directory”.
Once you let someone to play with your root directory consider all security gone.

By: Software Tips

Software Tips — Sat, 17 Feb 2007 19:56:06 +0000

Thanks for this great explanation and these download files are great