Full Disclosure mailing list archives
Microsoft Windows file open without extension
From: Marc Ruef <marc.ruef () computec ch>
Date: Tue, 23 Jan 2007 10:46:31 +0100
Hello list, I am currently involved in a security testing regarding a real-world proof-of-concept for a backdoor compromise of a large company. For this purpose I use a phishing mail which leads to a cross site scripting vulnerability within the official target site network which leads to an included self-written backdoor. Thus, a nicely hidden compromise of the internal LAN. When I was doing some tests with the infection vector I found something odd. Microsoft Windows usually recognizes files by their extensions. For example an executable requires .exe to be executed properly. This makes it impossible for a linear attack to send a mail attachment with another extension to a user (e.g. backdoor.lol instead of backdoor.exe). The victim would have to rename the file before execution (from backdoor.lol to backdoor.exe). Something that should not happen anyway. However, I deleted the extension of some well-known files. Altought Microsoft Windows XP is showing the usual placeholder icon (no direct association with an application) it is possible to double-click the file and open the associated application. This only works with files connected to Microsoft Office so far. I have tested the common extensions as like xls (Excel) and doc (Word) successfully on my Microsoft Windows XP with SP2 and all the patches. It seems as like the file header is parsed in any case. Other Microsoft products as like bmp (Paint) or txt (Notepad) are not working. My idea was to send such a file without extension via email. This could bypass some filters which try to detect unwanted extensions (in this case doc and xls). My test as attachment in different versions of Microsoft Outlook has shown that the automated association does not work here. It seems as like the "feature" is only working if the file is accessed directly from a local partition. Altought this is limiting the attack possibilities some of them are still remaining. Further social engineering or a scripted attack might be required to run the code anyway. Some other mail clients or even web browsers pre-cache files locally before execution which would make them vulnerable to this attack. Mozilla Firefox is not vulnerable because they allow save and cancel only for unknown file-extensions. But Microsoft Internet Explorer, tested with 6.0 only, allows opening the file immediately even without extension. Okay, here comes another strange behavior. I was uploading a test file on the following url. Then I was able to reproduce the automated parsing as discussed before: http://www.computec.ch/mruef/publikationen/advisories/excel http://www.computec.ch/excel When I was trying to do it once again it was not possible anymore. Instead I have got the plaintext of the file. It looks like the behavior changes if the file is cached by the web browser. Why is Microsoft doing here something different? Regards, Marc -- Computer, Technik und Security http://www.computec.ch/ Meine private Webseite http://www.computec.ch/mruef/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows file open without extension Marc Ruef (Jan 23)
- Re: Microsoft Windows file open without extension Nick FitzGerald (Jan 23)
- <Possible follow-ups>
- Re: Microsoft Windows file open without extension Michele Cicciotti (Jan 23)