Full Disclosure mailing list archives

Re: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS

From: Anders Langworthy <hades () psilanthropy org>
Date: Mon, 24 Jan 2005 14:17:55 -0600

Paul Kurczaba wrote:

Wouldn't the phone try to open the jpg file as a picture, and not execute
it. Just like on desktop PCs: if you rename a .exe (application/program) to
a jpg (picture file), and try to open the file, your image program will open
the file, thinking it is a image file. The application code will not be
executed.

Ideally, yes. But as demonstrated by the Microsoft GDI exploit, justbecause a file is not executed proper doesn't necessarily mean it's safefrom problems in the underlying application.

I'd still say that this isn't really a problem directly (after all, it'sconsidered "safe" to view a webpage with images that are loaded withoutprompting), but the fact that attachments are automagically loaded doesprovide a spectacular way to automatically infect a large amount ofphones if somebody were to come up with a way to payload an attachment.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

2 vulnerabilities combine to auto execute received files in Nokia series 60 OS rohit (Jan 24)
- Re: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS KF (lists) (Jan 24)
  - Re: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS Valdis . Kletnieks (Jan 24)
- RE: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS Paul Kurczaba (Jan 24)
  - Re: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS Thierry Zoller (Jan 24)
  - Re: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS Anders Langworthy (Jan 24)
  - Re: 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS dk (Jan 24)