lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 31 Dec 2005 13:29:49 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: WMF browser-ish exploit vectors


Evans, Arian wrote:

> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

This is what MS stupidly calls "MIME type detection" -- ferrcrissakes, 
MIME Type is _defined_ by the server (or MIME headers in Email, etc) so 
there is no such thing as "MIME Type detection"; you are either told it 
by the server (message's MIME headers, etc) or you are not.

MS' other name for this -- "data sniffing" -- describes the process 
rather than the function.  It is file format detection.

Anyway, a (given MS' past, probably partial/incomplete) listing of such 
things and an outline of the logic IE employs in doing this is:

MIME Type Detection in Internet Explorer

http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
a.asp

> Windows Explorer/My Computer preview/thumbnail thingy=IE
> for purposes of rendering engine.
<<snip>>

Yep.

> Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
> candy is a JPEG also renamed doc, and win32api is a JPEG
> renamed to wmf. Mix and match to your hearts content. <obvious>
<<snip>>

A problem with the above, IE-specific description of "data sniffing", 
is that in the Explorer context (and some other "shell" contexts, and 
these vary in different versions of Windows) some other forms of format 
detection are also employed (rename a .EXE, or any kind of OLE2 format 
file, to an unregistered extension and start playing around...).

Also, don't forget the embedding of one kind of file into another, such 
as shell scraps (.SHS/.SHB), other OLE2 formats (Word, Excel, etc, etc) 
and so on.


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ