Didier Stevens

Monday 2 February 2009

CommNet at TechEd Barcedlona 2008

Filed under: Hacking — Didier Stevens @ 12:05

It was surprising to see the CommNet desktops at our disposal at TechEd Barcelona 2008. This time, you were not required anymore to perform a Windows logon to the machine with your attendee account. A generic, limited user account was already logged-on. Every attendee had to use this account.

This is a bad idea. Even a limited user account can be compromised with spyware, as I’ve shown with my Basic Process Manipulation Tool Kit.

cmd.exe was disabled, but this policy is still easy to bypass:

sc3

3 Comments »

  1. I think you mean to have as title ‘CommNet at TechEd Barcelona 2008′, not Barcedlona ;)

    Comment by Foo — Tuesday 10 February 2009 @ 20:59

  2. Hello, follow your blog closely..very informational. Wondering you have or know any tools to extract shellcode/malware from within malicious word/office documents. Or perhaps if you have time maybe in the future how to analyze them.

    thanks a lot and great job in the blog!!

    Comment by rs_001 — Thursday 12 February 2009 @ 19:04

  3. No, I don’t have code for MS Word documents. I do know that DOC files contain a file-system in itself. Haven’t found some good Python MS Word parsing library. But there is official Microsoft documentation for the fileformat.

    If you have .docx files: unzip them and parse the XML files.

    Comment by Didier Stevens — Friday 20 February 2009 @ 8:27


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: