The shell already prompts you for permission to run downloaded programs. Don't allow the remote client to control the filename of uploads.Īnd it's not like Windows doesn't have an executable bit on files.
The solution then still applies today: Don't run external programs without sanitizing your environment. But some would leave the CWD in the download directory after an upload thus allowing you to send a file with the name of an external program then when you activate that program you have a shell.
Remote access systems would let you run external programs connected to the serial line. Shared libraries didn't exist.īut this type of exploit still existed even under MS-DOS in the form of BBS door hacks. "Installing" meant creating a directory in the root of the hard drive and copying all your files there. It was a design decision from a time when software management was non-existent. (Presumably browsers would be not so brash as to overwrite an existing file of the same name in there!?) It's not so bad after all. The design of putting all downloads in one place is a small contributing factor.Įdit: we can also exploit this behaviour benevolently by putting a set of DLLs in the Downloads folder that would be loaded by any installers being run from there, which could do things like sandboxing/install logging. The bad guy just navigates a frame of your browser to the DLL of his choice and, if you’re on Chrome or Microsoft Edge, the DLL is dropped in the Downloads folder without even asking Thus, I think the root cause of this problem is not with the DLL loading behaviour, but with this. What I find more saddening is the trend to view any behaviour that could potentially be exploited as a vulnerability, regardless of how useful it could be, which just leads to locked-down user-hostile systems where nothing is possible without going through some sort of ridiculously bureaucratic excess of process. Another use is to workaround compatibility problems. Very useful and convenient compared to the alternatives.
exe of an application and it will log all network traffic that it generates. For example, I have a set of DLLs that you can put in the same directory as the. I've used this behaviour - non-maliciously - multiple times in the past to override APIs for logging/tracing/debugging purposes.