lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dpei63$177$1@sea.gmane.org>
Date: Tue, 3 Jan 2006 19:09:54 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: WMF browser-ish exploit vectors


Evans, Arian wrote in 
news:8654C851B1DAFA4FA18A9F150145F92502C16D7A@...x01.fishnetsecurity.com
> Here, let's make the rendering issue simple:
>
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

  Yeh, that's a real dumbass design feature that one.

> http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
>
> http://yourcorp_web_based_DMS/surprise_not_a.doc
>
> etc.


  Have you tried giving it a mpg/avi/wma/wmv extension and getting it to 
open in a (perhaps embedded) mediaplayer?  That's liable to work as well; 
mediaplayer is also vulnerable to the 
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content 
desynchronisation attack...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ