search

builtbybel / ReadySunValley

Replacement for Microsoft PC Health Check app
https://www.builtbybel.com
MIT License
200 stars 21 forks source link

Vulnerability-Disclosure with WhyNotWin11 #18

Closed ed-br closed 2 years ago

ed-br commented 2 years ago

Hi,

i think you should not include the above utility anymore to your app. It is well known that it has a security leak. The developer has also made it known here and the topic when i mentioned it was immediately closed by the Github moderator, even though it is not fixed

I've opende an issue here https://github.com/rcmaehl/WhyNotWin11/issues/460

You should at least point this out when downloading the app. i will definitely only use yours for now.

Thanks! Edo

Belim commented 2 years ago

im not sure i can evaluate that. that's no good at all to me autohotkey, autoit or whatever scripting this is has any security researcher evaluated the code?

ed-br commented 2 years ago

take a look at this german thread from borncity https://www.borncity.com/blog/2021/06/26/windows-11-kompatibilittstests/

Stefan Kanthak sagt:

  1. Juni 2021 um 08:58 WhyNotWin11 ist ÜBLER UNSICHERER Schrott, verbrochen von einem offensichtlich völlig ahnungslosen „script kiddie“, das alle Sicherheitsempfehlungen Microsofts zum sicheren Laden von DLLs und Anwendungen ignoriert:
  2. es lädt mehr als ein Dutzend System-DLLs aus seinem „Installations-Verzeichnis“ (bei Otto Normalmissbraucher typischerweise das „Downloads“-Verzeichnis) statt aus dem Windows-System-Verzeichnis C:\Windows\System32 und führt diese mit Administratorrechten aus;
  3. es führt DXDIAG.exe sowie PowerShell.exe aus seinem „Installations-Verzeichnis“ statt dem PATH aus, dummerweise ebenfalls mit Administratorrechten;
  4. es führt eine beliebige DLL aus, dümmsterweise auch mit Administratorrechten, d.h. dieser SCHROTT erlaubt „escalation of privilege“.

Diese Anfängerfehler (und wie man sie vermeidet) sind (beispielsweise) unter https://blogs.msdn.microsoft.com/david_leblanc/2008/02/20/dll-preloading-attacks/, https://technet.microsoft.com/en-us/library/2269637.aspx, https://support.microsoft.com/en-us/kb/2389418, https://support.microsoft.com/en-us/kb/2533623, https://blogs.technet.microsoft.com/srd/2014/05/13/load-library-safely/, https://cwe.mitre.org/data/definitions/426.html, https://cwe.mitre.org/data/definitions/427.html, https://capec.mitre.org/data/definitions/471.html dokumentiert.

Belim commented 2 years ago

🤔 i am waiting for further feedback

Oleg-Chashko commented 2 years ago

@Belim Maybe close the topic if a third-party application is already remote? 🤔

Belim commented 2 years ago

yup, not our problem anymore https://github.com/builtbybel/ReadySunValley/releases/tag/0.52.1