Bugtraq mailing list archives
Re: Self-Executing FOLDERS: Windows XP Explorer Part V
From: Jelmer <jkuperus () planet nl>
Date: Tue, 27 Jan 2004 01:25:31 +0100
Thor I know you hang out on irc a lot so let me give you an example you can relate to, say you met this girl on irc you talk and she seems nice, now she offers to send you photo's of herself, If the zip file where to include an exe or html file naturaly you wouldn't open it, now ask yourself if it had a single dir called my.pics.folder, would you double click on it expecting she just zipped the whole dir. I would. So no it isn't not a vulnerability perse, He never claimed it was, But it's a very usefull social engineering trick, and I am thankfull to http-equiv for pointing it out since I would have been fooled by this. Also I honestly don't see why there should be such a beast as a .folder extention, is there any usefull purpose for it at all except for making files that aren't really folders apear as folders? you can probably just rename HKEY_CLASSES_ROOT\.Folder to HKEY_CLASSES_ROOT\.FolderSOME_RANDOM_STUFF to remove the association with the .folder I don't think it would cause any trouble but just in case it does you can always rename it back ----- Original Message ----- From: "Thor Larholm" <thor () pivx com> To: <1 () malware com>; <bugtraq () securityfocus com> Sent: Monday, January 26, 2004 7:14 PM Subject: RE: Self-Executing FOLDERS: Windows XP Explorer Part V
Why don't we call a spade a spade? You renamed an HTML file from "My Pics.html" to "My Pics.Folder", it's still an HTML file and not a folder. In fact, except for the changed file extension this is simply just a
repeat
of your previous post, "Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV", except that the ".Folder" file extension is new to Windows XP
and
makes the file have a folder icon. When you open any file regardless of extension, Explorer tries to find the proper application to open the file with. This involves inspecting the
first
section of the files content and comparing it to a list of known
signatures.
You can read about "MIME Type Detection in Internet Explorer" at
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
We already know that opening HTML files from the My Computer zone is equivelant to opening an EXE file, given the executional rights provided
by
the zone. The only solution to this is to lock down the My Computer zone which I have been trying to advocate for some time now and Microsoft has
now
promised to do in Service Pack 2 for Windows XP. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: http-equiv () excite com [mailto:1 () MALWARE COM] Sent: Sunday, January 25, 2004 8:51 AM To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: Self-Executing FOLDERS: Windows XP Explorer Part V Sunday, January 25, 2004 The following file is a 'folder' comprising both scripting and an
executable
[*.exe]. We inject scripting and an executable into the 'folder' which is designed
to
point back to the executable in the 'folder' and execute it. Provided the 'folder' is an html file, Windows XP Explorer will execute it. Because it is an 'folder' proper, Windows Explorer opens it. The scripting inside is then parsed and fired. That scripting is pointing back to the
same
executable file and because it is a self-executing 'folder', it executes
!
Fully self-contained harmless *.exe. Windows XP only: http://www.malware.com/my.pics.zip Be aware of 'folders' out there. -- http://www.malware.com ----- Editor's Note: The 43rd Most Powerful Person in Networking says... Out of Office replies to list messages cause you to be unsubscribed automatically. Either subscribe a Public Folder, or ensure your rules are set to ensure list messages are filtered prior to your Out of Office
reply.
Such automatic replies are a bane to posters, and cause us to have fewer researchers post to NTBugtraq. -----
Current thread:
- Self-Executing FOLDERS: Windows XP Explorer Part V http-equiv () excite com (Jan 26)
- Re: Self-Executing FOLDERS: Windows XP Explorer Part V mightye[removethis] (Jan 26)
- <Possible follow-ups>
- RE: Self-Executing FOLDERS: Windows XP Explorer Part V Thor Larholm (Jan 26)
- Re: Self-Executing FOLDERS: Windows XP Explorer Part V Jelmer (Jan 27)
- Re: Self-Executing FOLDERS: Windows XP Explorer Part V Liu Die Yu (Jan 27)