|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
WMF browser-ish exploit vectors
From: Evans, Arian (Arian.Evans
fishnetsecurity.com)
Date: Thu Dec 29 2005 - 15:10:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Here, let's make the rendering issue simple:
Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.
Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.
Stocking Stuffer Sploit-use Samples:
http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
http://yourcorp_web_based_DMS/surprise_not_a.doc
etc.
For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:
http://www.anachronic.com/xss/
Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>
http://www.anachronic.com/xss/skatebrd.wmf =
http://www.anachronic.com/xss/statebrd.jpg
and
http://www.anachronic.com/xss/win32api.jpg =
http://www.anachronic.com/xss/win32api.wmf
and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>
You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.
Merry Metafiling,
-ae
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]