Full Disclosure mailing list archives
Re[2]: another filename bypass vulnerability - fromcmd.exe
From: Thierry Zoller <Thierry () Zoller lu>
Date: Thu, 17 Nov 2005 21:44:19 +0100
Dear Morning Wood, As shown by the recent MZ header bypass, (most) AV "analyse" the header to determine the Filetpye. I think extension based recognition is to be considered outdated. MW> I think the OP was getting at this being an AV bypass vector for worms and MW> other malware that can interact with cmd.exe . Hmm ok, but how can it interact when it doesn't execute using explorer.exe ? Is the user going under Dos to execute it? How does that fit in the scenario ? -- http://secdev.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: another filename bypass vulnerability - from cmd.exe Peter Ferrie (Nov 17)
- Re: another filename bypass vulnerability - from cmd.exe HernĂ¡n M . Racciatti (Nov 17)
- Re: another filename bypass vulnerability - from cmd.exe Valdis . Kletnieks (Nov 17)
- Re: another filename bypass vulnerability - fromcmd.exe Morning Wood (Nov 17)
- Re[2]: another filename bypass vulnerability - fromcmd.exe Thierry Zoller (Nov 17)
- Re: another filename bypass vulnerability - from cmd.exe HernĂ¡n M . Racciatti (Nov 17)