Full Disclosure mailing list archives

Re: Binary Planting Goes "Any File Type"

From: Mitja Kolsek <mitja.kolsek () acrossecurity com>
Date: Sat, 9 Jul 2011 16:37:37 +0200

Hi Mario -

Actually you *can* launch an executable that way, if you add a couple
more clicks afterwards, or you right click on the file and choose a
non default menu option. It's no more ridiculous than any other social
engineering that requires people to hit a hotkey they probably never
heard of and browse all the way to your malicious file...


This example merely provided one of possible alternatives to double-clicking a file, which I understood was one of 
Dan's major objections. Yes the example was over the top but also yes, it would work against some users who otherwise 
wouldn't double-click on a file. Attackers care about that.

Sure these attacks require some social engineering, but the research is not over. I'd like to refer you to 
http://blog.acrossecurity.com/2011/06/com-server-based-binary-planting-proof.html?m=1 for an example of how further 
research can reduce social engineering to mere visiting of malicious web page and two clicks on links on that page.

IMHO what you're reporting is a great way to improve social
engineering attacks. But you should flag it as such rather than
calling it a 0day just for the sake of the fancy word. This is not a
demerit of your work in any way, it's just a matter of using the
proper vocabulary.


I fail to find the word "0day" in the blog post or my emails. Am I missing something?

Cheers,
Mitja


On Sat, Jul 9, 2011 at 1:11 AM, Mitja Kolsek
<mitja.kolsek () acrossecurity com> wrote:

Ok, Dan, just for you:

Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), 
browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?

Cheers,
Mitja

On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan () doxpara com> wrote:

And here's where your exploit stops being one:

===
Suppose the current version of Apple Safari (5.0.5) is our default web
browser. If we put the above files in the same directory (on a local
drive or a remote share) and double-click Test.html, what happens is
the following:
===

At this point, Test.html might actually be test.exe with the HTML icon
embedded.  Everything else then is unnecessary obfuscation -- code
execution was already possible the start by design.

This is a neat vector though, and it's likely that with a bit more
work it could be turned into an actual RCE.

On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists <lists () acros si> wrote:


We published a blog post on a nice twist to binary planting which we call "File
Planting." There'll be much more of this from us in the future, but here's the first
sample for you to (hopefully) enjoy.

http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html

or

http://bit.ly/nXmRFD


Best regards,

Mitja Kolsek
CEO&CTO

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com
blg: http://blog.acrossecurity.com

ACROS Security: Finding Your Digital Vulnerabilities Before Others Do


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
“There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.”


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Binary Planting Goes "Any File Type" ACROS Security Lists (Jul 08)
- Re: Binary Planting Goes "Any File Type" kyle kemmerer (Jul 08)
  - Re: Binary Planting Goes "Any File Type" Thierry Zoller (Jul 10)
- Re: Binary Planting Goes "Any File Type" Dan Kaminsky (Jul 08)
  - Re: Binary Planting Goes "Any File Type" Mitja Kolsek (Jul 08)
    - Re: Binary Planting Goes "Any File Type" Dan Kaminsky (Jul 08)
    - Re: Binary Planting Goes "Any File Type" Mitja Kolsek (Jul 09)
    - Re: Binary Planting Goes "Any File Type" Mario Vilas (Jul 09)
    - Re: Binary Planting Goes "Any File Type" Mitja Kolsek (Jul 10)
- Re: Binary Planting Goes "Any File Type" Tim (Jul 08)
  - Re: Binary Planting Goes "Any File Type" Mitja Kolsek (Jul 09)
    - Re: Binary Planting Goes "Any File Type" Tim (Jul 09)
    - Re: Binary Planting Goes "Any File Type" Mitja Kolsek (Jul 10)
- <Possible follow-ups>
- Re: Binary Planting Goes "Any File Type" anonymous-tips (Jul 08)
- Re: Binary Planting Goes "Any File Type" Aleksandr Yampolskiy (Jul 12)