Bugtraq mailing list archives
Fwd: [nohack] Yet another way to disguise files.
From: dinodrac () WEBTV NET (Josh Rollyson)
Date: Tue, 16 May 2000 11:05:20 -0400
This needs some attention, IMHO. -- Josh Rollyson dracus on EFnet and Undernet dinodrac () magenet com <STRONG>attached mail follows:</STRONG><HR NOSHADE><P> Mail from Jim Murray <jim () digitaldaemons net> Turned up this alarming snippet on usenet today : <copy> Windows hides file types for some files even with HideFileTypes turned off. Do a search of your registry for the value "NeverShowExt", starting at: HKEY_LOCAL_MACHINE\Software\CLASSES\ Which is mirrored at: HKEY_CLASSES_ROOT\ I found that there were 10 occurrences on my (fairly UNLoaded installation) ALL of which I have now changed to "AlwaysShowExt"! If you have much other M$ or Office software on your machine, you may find more! & it is quite easy for any program to conceal *any* file extension by this means! HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103} HKEY_LOCAL_MACHINE\Software\CLASSES\DocShortcut HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap HKEY_LOCAL_MACHINE\Software\CLASSES\lnkfile HKEY_LOCAL_MACHINE\Software\CLASSES\piffile HKEY_LOCAL_MACHINE\Software\CLASSES\InternetShortcut HKEY_LOCAL_MACHINE\Software\CLASSES\SHCmdFile HKEY_LOCAL_MACHINE\Software\CLASSES\ConferenceLink The first 3 are for the MAPIMail & DeskLink shortcuts, the 3rd one is for the My Documents folder. MapiMail is used for *automatically* sending mails, using whatever is the "default" email client (via sendmail.dll). DeskLink is, I think, used for a similar thing. The last 7 are self-explanatory(?) & I would venture to suggest that of these, DocShortcut, ShellScrap, lnk, pif, InternetShortcut & SHCmdFile ARE *definitely* "executable"!!!? In fact the "action" associated with these is: DocShortcut C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL /r /x %1 ShellScrap C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL %1 You can guess what the others do? <g> Yup, you got it! - Iexplore.exe gets its mitts on them! So *anything* is possible! <endcopy> A little digging on the web revealed that this is a genuine issue, one that's been known about for some time. Just a couple of the links I found: http://www.pc-help.org/security/scrap.htm - Includes demo exploit. http://www.stiller.com/shs.htm I know it's not new but as users become more wary of running anything they see and learn to check file types, exploits using this are probably going to increase sometime soon. Jim. -- Jim Murray = jim () digitaldaemons net = jim-mm () dal net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "If you think the problem is bad now, just wait until we've solved it." - - nohack, the cross-IRC-networks Trojan Horses mailing list. To unsubscribe send mail to majordomo () linuxbox org with 'unsubscribe nohack' in the message body.
Current thread:
- Eudora Pro & Outlook Overflow - too long filenames again Ultor (May 15)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
- Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
- Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Michal Zalewski (May 18)
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) chris neill (May 19)
- Jolt2 crashes tcpdump Earl T. Carter (May 30)
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Cory Visi (May 31)
- IBM HTTP SERVER / APACHE Marek Roy (May 31)
- Re: Fwd: [nohack] Yet another way to disguise files. Peter W (May 18)
- Re: Fwd: [nohack] Yet another way to disguise files. Ron DuFresne (May 16)
- Fwd: [nohack] Yet another way to disguise files. Josh Rollyson (May 16)
- Re: Eudora Pro & Outlook Overflow - too long filenames again Henrik .H (May 16)
- <Possible follow-ups>
- Re: Eudora Pro & Outlook Overflow - too long filenames again Microsoft Security Response Center (May 16)