Re: Binary Planting Goes "Any File Type"

[Aleksandr Yampolskiy <ayampolskiy () gilt com>]

I am not sure about that argument. Most users nowadays know it's not safe to download Executables (according to polls 
in my company during security awareness training) but will gladly open html.

----- Original Message -----
From: Dan Kaminsky <dan () doxpara com>
To: Mitja Kolsek <mitja.kolsek () acrossecurity com>
Cc: security () acrossecurity com <security () acrossecurity com>; bugtraq () securityfocus com <bugtraq () 
securityfocus com>; full-disclosure () lists grok org uk <full-disclosure () lists grok org uk>; cert () cert org <cert 
() cert org>; si-cert () arnes si <si-cert () arnes si>
Sent: Fri Jul 08 19:26:17 2011
Subject: Re: [Full-disclosure] Binary Planting Goes "Any File Type"

It's a nice attempt, but no.  The social engineering required to pull
that off exceeds what's required to get somebody to download and
execute setup.exe, and we don't call that RCE either.

Hundreds of false bugs are blinding you to probably a dozen real bugs.
 Likely more.  In security as in finance, the bad drives out the good.


On Fri, Jul 8, 2011 at 4:11 PM, Mitja Kolsek
<mitja.kolsek () acrossecurity com> wrote:
> Ok, Dan, just for you:
>
> Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse 
> to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?
>
> Cheers,
> Mitja
>
> On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan () doxpara com> wrote:
>
> > And here's where your exploit stops being one:
> >
> > ===
> > Suppose the current version of Apple Safari (5.0.5) is our default web
> > browser. If we put the above files in the same directory (on a local
> > drive or a remote share) and double-click Test.html, what happens is
> > the following:
> > ===
> >
> > At this point, Test.html might actually be test.exe with the HTML icon
> > embedded.  Everything else then is unnecessary obfuscation -- code
> > execution was already possible the start by design.
> >
> > This is a neat vector though, and it's likely that with a bit more
> > work it could be turned into an actual RCE.
> >
> > On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists <lists () acros si> wrote:
> > > We published a blog post on a nice twist to binary planting which we call "File
> > > Planting." There'll be much more of this from us in the future, but here's the first
> > > sample for you to (hopefully) enjoy.
> > >
> > > http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html
> > >
> > > or
> > >
> > > http://bit.ly/nXmRFD
> > >
> > >
> > > Best regards,
> > >
> > > Mitja Kolsek
> > > CEO&CTO
> > >
> > > ACROS, d.o.o.
> > > Makedonska ulica 113
> > > SI - 2000 Maribor, Slovenia
> > > tel: +386 2 3000 280
> > > fax: +386 2 3000 282
> > > web: http://www.acrossecurity.com
> > > blg: http://blog.acrossecurity.com
> > >
> > > ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/