http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Fri, 14 Apr 2006 01:57:24 -0500 https://www.openrce.org/blog/view/270/New_Shell_Extension_CLSID_Black_List randori82 <email-suppressed@example.com> There's a new reg key to black list CLSIDs for Shell Extensions from the latest MS patch set(MS06-015).&nbsp;&nbsp;<br /> <br /> Here's a bit of detail on the keys for Shell Extensions (<a href="http://support.microsoft.com/kb/216384/EN-US/">http://support.microsoft.com/kb/216384/EN-US/</a>):<br /> HKLM:Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved is the CLSID list of Shell Extensions that are approved to run.&nbsp;&nbsp;<br /> <br /> This is compared against when 'EnforceShellExtensionSecurity' is set to 1 in HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.&nbsp;&nbsp;Nothing new there, that's existing functionality.&nbsp;&nbsp;<br /> <br /> However, with MS06-015, there's a new key: HKLM:Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked that also gets referenced from ShouldLoadShellExt.&nbsp;&nbsp;<br /> <br /> The *blocked list* is checked before the *allowed list*, so anything that is blocked will not run, whether or not it's in the *allowed list*.<br /> <br /> So, following MS06-015, you can make sure hosts will not run Shell Extensions by adding their CLSID to the *blocked list*.<br /> <br /> Obviously this couldn't be put in the workaround for this patch, but for future Shell Extension vulnerabilities, this is definatley a workaround.<br /> <br /> This new key was found while reversing MS06-015 for XP.<br /> <br /> ~Andre Protas Mon, 27 Mar 2006 02:45:53 -0600 https://www.openrce.org/blog/view/258/script_contribution randori82 <email-suppressed@example.com> just a simple timesaver, but pysym.py will auto-load (once re-supported by idapython) symbols/debug from ms's symbol servers.<br /> <a href="https://www.openrce.org/repositories/browse/randori82">https://www.openrce.org/repositories/browse/randori82</a> Wed, 22 Mar 2006 17:40:17 -0600 https://www.openrce.org/blog/view/254/blackhat_europe_slides randori82 <email-suppressed@example.com> Thanks for coming (those of you that did) to the presentation.&nbsp;&nbsp;The little feedback that we have heard was quite positive.<br /> <br /> For those of you interested, here are the slides:<br /> <a href="http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf">http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Manzuik.pdf</a><br /> <br /> The free diffing tool should be available soon, as it's undergoing some batch mode analysis for qa testing.