Bugtraq mailing list archives
Re: WMF browser-ish exploit vectors
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Tue, 3 Jan 2006 19:09:54 -0000
Evans, Arian wrote in news:8654C851B1DAFA4FA18A9F150145F92502C16D7A () fnex01 fishnetsecurity com
Here, let's make the rendering issue simple: Due to IE being so content help-happy there are a myriad of IE-friend file types (e.g.-.jpg) that one can simply rename a metafile to for purpose of web exploitation, and IE will pull out the wonderful hey; you're-not-a-jpeg-you're-a-something-else-that-I-can- -automatically-handle trick err /feature/ for you.
Yeh, that's a real dumbass design feature that one.
http://sharepoint2003/bizdir/your_custom_folder_icon.jpg http://yourcorp_web_based_DMS/surprise_not_a.doc etc.
Have you tried giving it a mpg/avi/wma/wmv extension and getting it to open in a (perhaps embedded) mediaplayer? That's liable to work as well; mediaplayer is also vulnerable to the choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content desynchronisation attack... cheers, DaveK -- Can't think of a witty .sigline today....
Current thread:
- Re: WMF browser-ish exploit vectors Nick FitzGerald (Jan 04)
- <Possible follow-ups>
- Re: WMF browser-ish exploit vectors Dave Korn (Jan 05)
- RE: WMF browser-ish exploit vectors James C Slora Jr (Jan 05)