Re: WMF browser-ish exploit vectors

["Dave Korn" <davek_throwaway () hotmail com>]

Evans, Arian wrote in 
news:8654C851B1DAFA4FA18A9F150145F92502C16D7A () fnex01 fishnetsecurity com
> Here, let's make the rendering issue simple:
>
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

  Yeh, that's a real dumbass design feature that one.

> http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
>
> http://yourcorp_web_based_DMS/surprise_not_a.doc
>
> etc.


  Have you tried giving it a mpg/avi/wma/wmv extension and getting it to 
open in a (perhaps embedded) mediaplayer?  That's liable to work as well; 
mediaplayer is also vulnerable to the 
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content 
desynchronisation attack...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....