[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dpei63$177$1@sea.gmane.org>
Date: Tue, 3 Jan 2006 19:09:54 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: WMF browser-ish exploit vectors
Evans, Arian wrote in
news:8654C851B1DAFA4FA18A9F150145F92502C16D7A@...x01.fishnetsecurity.com
> Here, let's make the rendering issue simple:
>
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.
Yeh, that's a real dumbass design feature that one.
> http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
>
> http://yourcorp_web_based_DMS/surprise_not_a.doc
>
> etc.
Have you tried giving it a mpg/avi/wma/wmv extension and getting it to
open in a (perhaps embedded) mediaplayer? That's liable to work as well;
mediaplayer is also vulnerable to the
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content
desynchronisation attack...
cheers,
DaveK
--
Can't think of a witty .sigline today....
Powered by blists - more mailing lists