OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Latest wave of worms using hidden file-extensions
From: WayneDiamondCS.com.au
Date: Fri May 26 2000 - 05:01:03 CDT


LATEST WAVE OF WORMS USING HIDDEN FILE EXTENSIONS
RELEASE DATE: Friday May 26, 2000
SYSTEMS AFFECTED: Windows 95, 98, NT, 2000

DESCRIPTION
Microsoft Windows allows you to hide or show file extensions at will,
allowing the user to see "readme.txt", or just "readme". Most people, in the
hope that they don't execute something they shouldn't, usually turn
extension-hiding OFF. However, even with extension-hiding turned off,
file-types can register themselves to FORCE the hiding of their extension.

This is certainly not a new vulnerability, but there doesn't seem to have
been (m)any reports on what should be considered a very dangerous problem.

THE PROBLEM
By default, several Windows file extensions are hidden. These include .PIF,
.SHS, .LNK, .DESKLINK, .URL, and .MAPIMAIL. If a file uses one of these
extensions, the user will be unable to tell exactly what the extension is.
(Although the "Type" tab in Explorer will reflect the change of filetype).

THE EXPLOIT
A worm can easily call itself readme.txt.pif and send itself around the web.
When a Windows user receives the file, when they go to open the file in
Explorer or anywhere else that uses the same file-list control, they will
only see "readme.txt". The TYPE of the file will be "Shortcut to MS-DOS
Program", as opposed to "Text Document" as a .txt file should be. This
however, is the only visible difference. When the user tries to run
readme.txt, instead of Notepad (the associated .txt program) loading the
readme.txt file as the user would expect, what happens is readme.txt.pif is
executed. PIF files act similar to BAT files, and can get away with
virtually anything in DOS, including deleting files, formatting, creating
files and so on. A worm is already propagating on the Internet now under the
filename off Movie.avi.pif. People receiving this file will see "Movie.avi"
if they look at the file in Explorer, and as .avi is regarded as "safe"
extension, most people will run this file without a second thought of their
own safety.

Going one step further, a PIF worm under the disguise of a .TXT file could
launch Notepad when it is executed, thus making it seem like the .txt file
trying to load. The infection occurs in the background, the user has their
.txt file on screen in Notepad, and they are none the wiser.

THE SOLUTION
Forced-hidden file extensions are made possible by a registry value
"NeverShowExt" (no data). To "unregister" the .PIF filetype from being
hidden, this value must simply be deleted from HKEY_CLASSES_ROOT\piffile

A registry search of the Data fields for "NeverShowExt" will reveal all
filetypes that have been registered invisible. These should all be deleted.

--
Reported by Wayne Langlois for Diamond Computer Systems
waynediamondcs.com.au  -  http://www.diamondcs.com.au