lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJB2JztpO5JLJBqHO2=mZL8gzfcDodUYMViQ6ezQfmj9jrLYAw@mail.gmail.com> Date: Sat, 9 Jul 2011 13:30:44 +0200 From: Mario Vilas <mvilas@...il.com> To: Mitja Kolsek <mitja.kolsek@...ossecurity.com> Cc: "security@...ossecurity.com" <security@...ossecurity.com>, "si-cert@...es.si" <si-cert@...es.si>, "cert@...t.org" <cert@...t.org>, "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: Binary Planting Goes "Any File Type" Actually you *can* launch an executable that way, if you add a couple more clicks afterwards, or you right click on the file and choose a non default menu option. It's no more ridiculous than any other social engineering that requires people to hit a hotkey they probably never heard of and browse all the way to your malicious file... IMHO what you're reporting is a great way to improve social engineering attacks. But you should flag it as such rather than calling it a 0day just for the sake of the fancy word. This is not a demerit of your work in any way, it's just a matter of using the proper vocabulary. On Sat, Jul 9, 2011 at 1:11 AM, Mitja Kolsek <mitja.kolsek@...ossecurity.com> wrote: > Ok, Dan, just for you: > > Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better? > > Cheers, > Mitja > > On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan@...para.com> wrote: > >> And here's where your exploit stops being one: >> >> === >> Suppose the current version of Apple Safari (5.0.5) is our default web >> browser. If we put the above files in the same directory (on a local >> drive or a remote share) and double-click Test.html, what happens is >> the following: >> === >> >> At this point, Test.html might actually be test.exe with the HTML icon >> embedded. Everything else then is unnecessary obfuscation -- code >> execution was already possible the start by design. >> >> This is a neat vector though, and it's likely that with a bit more >> work it could be turned into an actual RCE. >> >> On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists <lists@...os.si> wrote: >>> >>> We published a blog post on a nice twist to binary planting which we call "File >>> Planting." There'll be much more of this from us in the future, but here's the first >>> sample for you to (hopefully) enjoy. >>> >>> http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html >>> >>> or >>> >>> http://bit.ly/nXmRFD >>> >>> >>> Best regards, >>> >>> Mitja Kolsek >>> CEO&CTO >>> >>> ACROS, d.o.o. >>> Makedonska ulica 113 >>> SI - 2000 Maribor, Slovenia >>> tel: +386 2 3000 280 >>> fax: +386 2 3000 282 >>> web: http://www.acrossecurity.com >>> blg: http://blog.acrossecurity.com >>> >>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists