WMF browser-ish exploit vectors

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Here, let's make the rendering issue simple:

Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.

Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.

Stocking Stuffer Sploit-use Samples:

http://sharepoint2003/bizdir/your_custom_folder_icon.jpg

http://yourcorp_web_based_DMS/surprise_not_a.doc

etc.

For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:

http://www.anachronic.com/xss/

Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>

http://www.anachronic.com/xss/skatebrd.wmf =
http://www.anachronic.com/xss/statebrd.jpg

and

http://www.anachronic.com/xss/win32api.jpg =
http://www.anachronic.com/xss/win32api.wmf

and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>

You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.

Merry Metafiling,

-ae