[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <45B5D977.8070104@computec.ch>
Date: Tue, 23 Jan 2007 10:46:31 +0100
From: Marc Ruef <marc.ruef@...putec.ch>
To: full-disclosure@...ts.grok.org.uk
Subject: Microsoft Windows file open without extension
Hello list,
I am currently involved in a security testing regarding a real-world
proof-of-concept for a backdoor compromise of a large company. For this
purpose I use a phishing mail which leads to a cross site scripting
vulnerability within the official target site network which leads to an
included self-written backdoor. Thus, a nicely hidden compromise of the
internal LAN.
When I was doing some tests with the infection vector I found something
odd. Microsoft Windows usually recognizes files by their extensions. For
example an executable requires .exe to be executed properly. This makes
it impossible for a linear attack to send a mail attachment with another
extension to a user (e.g. backdoor.lol instead of backdoor.exe). The
victim would have to rename the file before execution (from backdoor.lol
to backdoor.exe). Something that should not happen anyway.
However, I deleted the extension of some well-known files. Altought
Microsoft Windows XP is showing the usual placeholder icon (no direct
association with an application) it is possible to double-click the file
and open the associated application. This only works with files
connected to Microsoft Office so far. I have tested the common
extensions as like xls (Excel) and doc (Word) successfully on my
Microsoft Windows XP with SP2 and all the patches. It seems as like the
file header is parsed in any case. Other Microsoft products as like bmp
(Paint) or txt (Notepad) are not working.
My idea was to send such a file without extension via email. This could
bypass some filters which try to detect unwanted extensions (in this
case doc and xls). My test as attachment in different versions of
Microsoft Outlook has shown that the automated association does not work
here. It seems as like the "feature" is only working if the file is
accessed directly from a local partition.
Altought this is limiting the attack possibilities some of them are
still remaining. Further social engineering or a scripted attack might
be required to run the code anyway. Some other mail clients or even web
browsers pre-cache files locally before execution which would make them
vulnerable to this attack. Mozilla Firefox is not vulnerable because
they allow save and cancel only for unknown file-extensions. But
Microsoft Internet Explorer, tested with 6.0 only, allows opening the
file immediately even without extension.
Okay, here comes another strange behavior. I was uploading a test file
on the following url. Then I was able to reproduce the automated parsing
as discussed before:
http://www.computec.ch/mruef/publikationen/advisories/excel
http://www.computec.ch/excel
When I was trying to do it once again it was not possible anymore.
Instead I have got the plaintext of the file. It looks like the behavior
changes if the file is cached by the web browser.
Why is Microsoft doing here something different?
Regards,
Marc
--
Computer, Technik und Security http://www.computec.ch/
Meine private Webseite http://www.computec.ch/mruef/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists