Jump to content

Win98 vulnerability?


Multibooter

Recommended Posts

Under Win98 there are 4 tabs of autoruns/vulnerabilities displayed by Autoruns, but when double-clicking under WinXP on the same Autoruns v9.13 16 (sixteen!) tabs of autoruns/vulnerabilities are displayed. 2 screenshots could explain the key advantage of Win98 better than a 1000 words.

Edited by Multibooter
Link to comment
Share on other sites


Simply having a location that will automatically run an executable (or executable code of some sort) does not count as a vulnerability. By that definition, the fact that Windows can run arbitrary executables whatsoever would constitute a vulnerability.

Yes, it is convenient that fewer such locations exist in Win9x, but that doesn't automatically count as an advantage or disadvantage, it's simply a difference. It's only convenient from the human perspective of knowing all those locations off the top of your head. On the computer's end, enumerating four or a dozen different locations is a negligible difference.

A vulnerability would be a remotely triggerable execution of code, or execution of privileged code in a non-privileged environment. The latter isn't really an issue in Win9x since everything is privileged (some consider this a vulnerability, but it's simply by design), the former has occured in many iterations of all significant OSes.

Queue

Link to comment
Share on other sites

The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them. This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll
Webcheck.dll was also displayed by Autoruns on my laptop, which runs Internet Explorer v6.0.2600, downloaded on 20-Sep-2001 from MS and re-installed after a clean install of Win98SE on 10-Oct-2003. Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download. Iexplore.exe is v6.00.2600.0000 but has the modification date 17-Aug-2001 and ie6setup.exe is digitally signed 20-Aug-2001 [i.e. before Sep.11, 2001] IE probably called home during the installation on 10-Oct-2003., but why would webcheck.dll have a much later modification date than Iexplore.exe?

BTW, are the excellent postings about webcheck.dll (of 2005) http://www.msfn.org/board/index.php?showtopic=46066&st=0 still Ok with todays new hardware?

Honestly, I never saw that thread before! (was before my time here). Amazingly, in Post #8, I see the great MDGx has a REG file that is almost identical to one I handmade many years ago. He even mentions the SENS components which I also yanked out by the roots! Consider this operation independently verified. :thumbup Nice thread you found there. Bookmarking for later reading.

What I ended up doing was very extreme and very complicated. I essentially removed many of the core components like the previously mentioned WebCheck/Sens to other things like Power Management and parts of SysTray and WBEM/WinMgmt and EventLog/Event System and much more. The only downside I see is that a FlashDrive left in a USB port will prevent shutdown (no big deal). The speed gain and overall stability is substantial, and that was the whole point anyway.

About those file stamps, without looking at other archives (WinME/2K/XP etc) I find these versions of WebCheck.dll in my Win98se stash (MSIE never was used above version 6 of course) ...


WEBCHECK DLL ... 342,800 ... 09-18-97 ... 11:28a ... Webcheck.dll_47117123
WEBCHECK DLL ... 356,352 ... 05-11-98 .... 7:01p ... Webcheck.dll_47231100 (Win98)
WEBCHECK DLL ... 274,704 ... 02-24-99 .... 3:10p ... Webcheck.dll_5002014200 (Corel 10)
WEBCHECK DLL ... 274,704 ... 03-25-00 ... 12:11p ... Webcheck.dll_50023141000
WEBCHECK DLL ... 274,704 ... 04-23-99 ... 10:22p ... Webcheck.dll_50026143500 (Win98se)
WEBCHECK DLL ... 258,048 ... 08-17-01 ... 10:34p ... Webcheck.dll_60026000000 (MSIE6)
WEBCHECK DLL ... 258,048 ... 08-29-02 .... 7:07a ... Webcheck.dll_60028001106(MSIE6sp1)

Maybe the file date/time/size will be of some comparative use to you. I see the default Win98se, then MSIE6 and SP1. I am pretty sure that it was between 2001 and 2002 that I physically stopped these features from running. If you are in need of more info, it is easy enough to extract the unaltered files from the original distros (e.g., MSIE offline setup cabs). I defintely have them somewhere.

IMPORTANT REMINDER for others that may be reading: cutting out these and other core components is not for the faint-hearted. Having spare good copies of System.dat and User.dat handy for quick replacement from DOS is vital and will rescue you from the inevitable system stop at bootup!

Link to comment
Share on other sites

Indeed. The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell.

I searched my registry and this key doesn't exist on my system.

Link to comment
Share on other sites

IMPORTANT REMINDER for others that may be reading: cutting out these and other core components is not for the faint-hearted. Having spare good copies of System.dat and User.dat handy for quick replacement from DOS is vital and will rescue you from the inevitable system stop at bootup!

I'd strongly suggest a full system backup before attempting any major modifications. As for protecting the registry, I highly recommend TestRun for those who aren't proficient in DOS. TestRun is a collection of batch files that makes copies of the registry and core configuration files and allows you to experiment on the copies while your originals stay safe. Anyone who is still learning DOS should study those batch files. They're good examples of just how powerful a few lines of text can be.

Rick

Link to comment
Share on other sites

Maybe the file date/time/size will be of some comparative use to you.
On my dual-core desktop, which I started to set up very carefully about a year ago, webcheck.dll under Win98SE is 259.344 bytes, v5.50.4522.1800, modification date 20-Oct-2000. The modification date looks Ok, it's from Internet Explorer v5.5 SP1.

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.

BTW, under Win98SE, when you run Autoruns v9.13 [digitally signed 25-Feb-2008] then click on -> Help -> Help, then on the first item "Autoruns" in the list of contents, autoruns.exe tries to call home to origin-codecs.microsoft.com [65.55.13.243], port 80-TCP. What is the last version of Autoruns/autoruns.chm [file modification date 14-Dec-2007] which doesn't call home?

Edited by Multibooter
Link to comment
Share on other sites

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.
Well 9/11 is a dark date, and I think we'll mourn those dead in that day forever. :( That said, I fail to see the cause-effect relation between 9/11 and software. Maybe I'm being too naive. Could you please elaborate?
Link to comment
Share on other sites

As I've already mentioned a few times in these forums, Codestuff Starter - albeit old - is pretty good at managing startup/running items (under 2000+ it can also display/manage services):

Link to comment
Share on other sites

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.
Well 9/11 is a dark date, and I think we'll mourn those dead in that day forever. :( That said, I fail to see the cause-effect relation between 9/11 and software. Maybe I'm being too naive. Could you please elaborate?

Call it a distrust of the powers that be and their policy of domestic surveillance implemented after that date and its potential effects on software and operating systems. This was discussed in this thread starting at post 149.

Rick

Link to comment
Share on other sites

Thanks, herbalist, for the swift reply and precise pointer. It is a quite intersting exchange of ideas you and Multibooter had there, and lends itself for much reflexion. BTW, the SSM page is no more, but here is a working link for people to get ssm-2.0.8.583-free. It does rock! :thumbup ...and so do you! :yes:

Edited by dencorso
Link to comment
Share on other sites

Glad to hear you like it. IMO, SSM can mitigate most of the design weaknesses in 9X systems such as the lack of separation between administrator and user functions. I haven't tested its registry module to any great degree, but I believe it can be set to protect that ShellServiceObjectDelayLoad key from unwanted change as well. I'm on my 2K system at the moment so I can't check it right now. SSM's ability to control processes, especially parent-child permissions will offset most of the potential security issues caused by the lack of updates for 9X compatible software. Being Russian/Ukranian in origin, it's not likely to be affected by policies resulting from 9/11. The subject of 9/11 and its potential effect on operating systems and software is a touchy can of worms that's difficult to discuss without the thread becoming political, emotionally charged, and probably closed/deleted. I have no proof of it, just suspicions backed up by a lot of coincidence, circumstantial evidence, and a couple of personal experiences that are very hard to explain any other way.

OT.

If anyone is interested, I am authorized by Vitali, owner of SSM, to distribute a lifetime key for the paid version of SSM to anyone whose trial key has expired. The paid version is more powerful (and complicated) than the free one and has vastly expanded registry and service protection. It's only for NT systems unfortunately.

Rick

Edited by herbalist
Link to comment
Share on other sites

Thanks, herbalist, for the swift reply and precise pointer. It is a quite intersting exchange of ideas you and Multibooter had there, and lends itself for much reflexion. BTW, the SSM page is no more, but here is a working link for people to get ssm-2.0.8.583-free. It does rock! :thumbup ...and so do you! :yes:

And the SSM Free Edition Release Notes if someone wants them.

Link to comment
Share on other sites

Maybe the file date/time/size will be of some comparative use to you.
On my dual-core desktop, which I started to set up very carefully about a year ago, webcheck.dll under Win98SE is 259.344 bytes, v5.50.4522.1800, modification date 20-Oct-2000. The modification date looks Ok, it's from Internet Explorer v5.5 SP1.

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.

That version of WebCheck.dll that you cite, particularly the filesize, doesn't appear in my personal list above (I guess I simply skipped MSIE v5.5 altogether and eventually went straight to 6). More importantly though, when you previously mentioned: Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download., I would find the cabs and pull out the original file which should have the correct date/time and binary compare them. Hopefully the files are identical which might indicate something harmless happened (maybe some briefcase/synchronization program went awry). If they are not identical I'd see a red flag for some virus/spyware. Either way, I would search every inch of the laptop (the desktop too) for any files with that peculiar date/time (widen it to a few hours), the results may pinpoint a trail that you can then follow.

BTW, under Win98SE, when you run Autoruns v9.13 [digitally signed 25-Feb-2008] then click on -> Help -> Help, then on the first item "Autoruns" in the list of contents, autoruns.exe tries to call home to origin-codecs.microsoft.com [65.55.13.243], port 80-TCP. What is the last version of Autoruns/autoruns.chm [file modification date 14-Dec-2007] which doesn't call home?

Yikes, I didn't notice that myself (because I tend to do such work offline). But I will certainly take any reports and add them to the data in that System Internals thread. Maybe someone with the time might endeavor to try all the available versions and test if their firewall catches anything and make a post about it in that discussion (I'll try to get the time to merge it into the other information). I am just guessing here, but hopefully there is just some basic boilerplate code packed into the post-Microsoft versions that would explain it. Still I don't like it one bit.

Indeed. The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell.

I searched my registry and this key doesn't exist on my system.

@BenoitRen: yup, I just checked registries for some retired Win95/96/97 machines that had MSIE from version 1 to 3.x. That key is not there and likely never was there. Good assumption would be that it arrives with MSIE version 4 or 5. This begs the question of what would happen if you created the key on a 95 system (where it previously did not exist) and placed something in there to see if it gets called. If nothing happens then logic would dictate that when MSIE version 4/5 is installed some core patching must take place (perhaps IO.SYS) that enables these new and wonderful startup locations to be used by Windows. Hmmm. As Artie Johnson would say: Verrrry Interestink ... .

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...