[14920] in bugtraq
Fwd: [nohack] Yet another way to disguise files.
daemon@ATHENA.MIT.EDU (Josh Rollyson)
Tue May 16 16:52:38 2000
Content-Disposition: Inline
Content-Type: Multipart/Mixed; Boundary=WebTV-Mail-18620-6543
Content-Transfer-Encoding: 7Bit
Mime-Version: 1.0 (WebTV)
Message-Id: <28685-392163B0-12767@storefull-265.iap.bryant.webtv.net>
Date: Tue, 16 May 2000 11:05:20 -0400
Reply-To: Josh Rollyson <dinodrac@WEBTV.NET>
From: Josh Rollyson <dinodrac@WEBTV.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
--WebTV-Mail-18620-6543
Content-Type: Text/Plain; Charset=US-ASCII
Content-Transfer-Encoding: 7Bit
This needs some attention, IMHO.
--
Josh Rollyson
dracus on EFnet and Undernet
dinodrac@magenet.com
--WebTV-Mail-18620-6543
Content-Disposition: Inline
Content-Type: Message/RFC822
Content-Transfer-Encoding: 7Bit
Return-Path: <owner-nohack@linuxbox.org>
Received: from linuxbox.org (arb-0250.dfw.tx.bbnow.net [24.219.0.250]) by
hyland.magenet.com (8.10.1/8.10.0) with ESMTP id e4GAbxu14347 for <dinodrac@magenet.com>;
Tue, 16 May 2000 06:37:59 -0400
Received: (from majordom@localhost) by linuxbox.org (8.9.3/8.9.3/Debian
8.9.3-6) id LAA01875 for nohack-outgoing; Tue, 16 May 2000 11:39:57
+0100
X-Authentication-Warning: linuxbox.org: majordom set sender to
owner-nohack@linuxbox.org using -f
Received: from digitaldaemons.net (digitaldaemons.net [216.122.85.144]) by
linuxbox.org (8.9.3/8.9.3/Debian 8.9.3-6) with ESMTP id LAA01871
for <nohack@linuxbox.org>; Tue, 16 May 2000 11:39:56 +0100
Received: from digitaldaemons.net (usr219-udd1.cableinet.co.uk
[213.48.62.16]) by digitaldaemons.net (8.9.3/8.9.3) with ESMTP id
DAA09828; Tue, 16 May 2000 03:36:09 -0700 (PDT)
Message-ID: <392132A0.B69C20D2@digitaldaemons.net>
Date: Tue, 16 May 2000 11:36:00 +0000
From: Jim Murray <jim@digitaldaemons.net>
Organization: Digital Daemons - http:\\www.digitaldaemons.net
X-Mailer: Mozilla 4.61 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
Subject: [nohack] Yet another way to disguise files.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: undisclosed-recipients:;
Sender: owner-nohack@linuxbox.org
Precedence: bulk
X-list: nohack
Status:
Mail from Jim Murray <jim@digitaldaemons.net>
Turned up this alarming snippet on usenet today :
<copy>
Windows hides file types for some files even with HideFileTypes turned
off.
Do a search of your registry for the value "NeverShowExt", starting at:
HKEY_LOCAL_MACHINE\Software\CLASSES\
Which is mirrored at:
HKEY_CLASSES_ROOT\
I found that there were 10 occurrences on my (fairly UNLoaded
installation)
ALL of which I have now changed to "AlwaysShowExt"!
If you have much other M$ or Office software on your machine, you may
find more!
& it is quite easy for any program to conceal *any* file extension by
this means!
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_LOCAL_MACHINE\Software\CLASSES\DocShortcut
HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap
HKEY_LOCAL_MACHINE\Software\CLASSES\lnkfile
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile
HKEY_LOCAL_MACHINE\Software\CLASSES\InternetShortcut
HKEY_LOCAL_MACHINE\Software\CLASSES\SHCmdFile
HKEY_LOCAL_MACHINE\Software\CLASSES\ConferenceLink
The first 3 are for the MAPIMail & DeskLink shortcuts, the 3rd one is
for the My Documents folder.
MapiMail is used for *automatically* sending mails, using whatever is
the "default" email client (via sendmail.dll).
DeskLink is, I think, used for a similar thing.
The last 7 are self-explanatory(?)
& I would venture to suggest that of these, DocShortcut, ShellScrap,
lnk, pif, InternetShortcut & SHCmdFile ARE *definitely* "executable"!!!?
In fact the "action" associated with these is:
DocShortcut
C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL /r /x %1
ShellScrap
C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL %1
You can guess what the others do?
<g>
Yup, you got it! - Iexplore.exe gets its mitts on them!
So *anything* is possible!
<endcopy>
A little digging on the web revealed that this is a genuine issue, one
that's been known about for some time. Just a couple of the links I
found :
http://www.pc-help.org/security/scrap.htm - Includes demo exploit.
http://www.stiller.com/shs.htm
I know it's not new but as users become more wary of running anything
they see and learn to check file types, exploits using this are probably
going to increase sometime soon.
Jim.
--
Jim Murray = jim@digitaldaemons.net = jim-mm@dal.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If you think the problem is bad now,
just wait until we've solved it."
-
-
nohack, the cross-IRC-networks Trojan Horses mailing list.
To unsubscribe send mail to majordomo@linuxbox.org
with 'unsubscribe nohack' in the message body.
--WebTV-Mail-18620-6543--
