[20271] in bugtraq
Re: Double clicking on innocent looking files may be dangerous
daemon@ATHENA.MIT.EDU (Philip Stoev)
Tue Apr 17 15:19:34 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <005501c0c711$1662a970$0100a8c0@stoev.org>
Date: Tue, 17 Apr 2001 10:36:10 +0300
Reply-To: Philip Stoev <philip@STOEV.ORG>
From: Philip Stoev <philip@STOEV.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
This is true for Windows 2000 SP1, and no setting of "always show file
extension" seems to be able to make Explorer display the entire filename. It
must be noted, however, that the icon of the file is not the one of a text
file, but rather the default icon with the Windows logo.
When I attached the file in Outlook Express, the entire extension was
visible at all places. Also, OE opened a Run/Save prompt when opening it,
which is the behavior for HTA files, but not for TXT files on my machine
(they open without prompt for me).
And finally, a similar trick to make an ordinary shortcut point to the
Control Panel or the Printers folder is described in the Tips+Tricks file on
the Windows 95 CD, which means that this behavior has been there for a long
time and maybe other tricks are possible with a carefully-chosen CLSID.
Philip
> Details:
> If the file extension is certain CLSID e.g.:
> testhta.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
> then Windows explorer and IE do not show the CLSID and only the .txt
> extension,
> while the above file is in fact .hta file.
> Some exploit scenarios include leaving such malicous files on shared
> resources or
> sending them in archive by email.
