Bugtraq mailing list archives
Re: WMF browser-ish exploit vectors
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 31 Dec 2005 13:29:49 +1300
Evans, Arian wrote:
Due to IE being so content help-happy there are a myriad of IE-friend file types (e.g.-.jpg) that one can simply rename a metafile to for purpose of web exploitation, and IE will pull out the wonderful hey; you're-not-a-jpeg-you're-a-something-else-that-I-can- -automatically-handle trick err /feature/ for you.
This is what MS stupidly calls "MIME type detection" -- ferrcrissakes, MIME Type is _defined_ by the server (or MIME headers in Email, etc) so there is no such thing as "MIME Type detection"; you are either told it by the server (message's MIME headers, etc) or you are not. MS' other name for this -- "data sniffing" -- describes the process rather than the function. It is file format detection. Anyway, a (given MS' past, probably partial/incomplete) listing of such things and an outline of the logic IE employs in doing this is: MIME Type Detection in Internet Explorer http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_ a.asp
Windows Explorer/My Computer preview/thumbnail thingy=IE for purposes of rendering engine.
<<snip>> Yep.
Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc candy is a JPEG also renamed doc, and win32api is a JPEG renamed to wmf. Mix and match to your hearts content. <obvious>
<<snip>> A problem with the above, IE-specific description of "data sniffing", is that in the Explorer context (and some other "shell" contexts, and these vary in different versions of Windows) some other forms of format detection are also employed (rename a .EXE, or any kind of OLE2 format file, to an unregistered extension and start playing around...). Also, don't forget the embedding of one kind of file into another, such as shell scraps (.SHS/.SHB), other OLE2 formats (Word, Excel, etc, etc) and so on. Regards, Nick FitzGerald
Current thread:
- Re: WMF browser-ish exploit vectors Nick FitzGerald (Jan 04)
- <Possible follow-ups>
- Re: WMF browser-ish exploit vectors Dave Korn (Jan 05)
- RE: WMF browser-ish exploit vectors James C Slora Jr (Jan 05)