lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 9 Jul 2011 02:29:32 +0200
From: Mitja Kolsek <mitja.kolsek@...ossecurity.com>
To: Dan Kaminsky <dan@...para.com>
Cc: "si-cert@...es.si" <si-cert@...es.si>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"security@...ossecurity.com" <security@...ossecurity.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"cert@...t.org" <cert@...t.org>
Subject: Re: Binary Planting Goes "Any File Type"

Dan -

> It's a nice attempt, but no.  The social engineering required to pull
> that off exceeds what's required to get somebody to download and
> execute setup.exe, and we don't call that RCE either.

What if the target user couldn't download setup.exe due to firewall rules? Both you and I prefer fully automatic zero-social-engineering vulns to those requiring user interaction, but the real attacker only cares about the goal and will, if user can't download setup.exe, gladly use this vuln instead.

Many security mechanisms are aimed (also) towards limiting social engineering attacks (as well as user stu... creativity), e.g. the aforementioned firewall exe download blocking or the security warning Windows show you when you try to launch an exe from a network share. Or software restriction policy. If we ignore these, then, yes, we could say that a remote exe disguised as HTML is equal to a remote HTML if a user double-clicks on it. But would you dare to disable these mechanisms in your customer's network and claim that this wouldn't reduce their security? I know you wouldn't, but then you must admit that a remote exe disguised in an HTML icon is *not* the same as an actual remote HTML. One pops a security warning and the other doesn't.

Mitja

> 
> Hundreds of false bugs are blinding you to probably a dozen real bugs.
> Likely more.  In security as in finance, the bad drives out the good.
> 
> 
> On Fri, Jul 8, 2011 at 4:11 PM, Mitja Kolsek
> <mitja.kolsek@...ossecurity.com> wrote:
>> Ok, Dan, just for you:
>> 
>> Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?
>> 
>> Cheers,
>> Mitja
>> 
>> On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan@...para.com> wrote:
>> 
>>> And here's where your exploit stops being one:
>>> 
>>> ===
>>> Suppose the current version of Apple Safari (5.0.5) is our default web
>>> browser. If we put the above files in the same directory (on a local
>>> drive or a remote share) and double-click Test.html, what happens is
>>> the following:
>>> ===
>>> 
>>> At this point, Test.html might actually be test.exe with the HTML icon
>>> embedded.  Everything else then is unnecessary obfuscation -- code
>>> execution was already possible the start by design.
>>> 
>>> This is a neat vector though, and it's likely that with a bit more
>>> work it could be turned into an actual RCE.
>>> 
>>> On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists <lists@...os.si> wrote:
>>>> 
>>>> We published a blog post on a nice twist to binary planting which we call "File
>>>> Planting." There'll be much more of this from us in the future, but here's the first
>>>> sample for you to (hopefully) enjoy.
>>>> 
>>>> http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html
>>>> 
>>>> or
>>>> 
>>>> http://bit.ly/nXmRFD
>>>> 
>>>> 
>>>> Best regards,
>>>> 
>>>> Mitja Kolsek
>>>> CEO&CTO
>>>> 
>>>> ACROS, d.o.o.
>>>> Makedonska ulica 113
>>>> SI - 2000 Maribor, Slovenia
>>>> tel: +386 2 3000 280
>>>> fax: +386 2 3000 282
>>>> web: http://www.acrossecurity.com
>>>> blg: http://blog.acrossecurity.com
>>>> 
>>>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> 
>> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ