[41877] in bugtraq
WMF browser-ish exploit vectors
daemon@ATHENA.MIT.EDU (Evans, Arian)
Fri Dec 30 14:42:11 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 29 Dec 2005 15:10:19 -0600
Message-ID: <8654C851B1DAFA4FA18A9F150145F92502C16D7A@fnex01.fishnetsecurity.com>
From: "Evans, Arian" <Arian.Evans@fishnetsecurity.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Here, let's make the rendering issue simple:
Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.
Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.
Stocking Stuffer Sploit-use Samples:
http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
http://yourcorp_web_based_DMS/surprise_not_a.doc
etc.
For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:
http://www.anachronic.com/xss/
Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>
http://www.anachronic.com/xss/skatebrd.wmf =
http://www.anachronic.com/xss/statebrd.jpg
and
http://www.anachronic.com/xss/win32api.jpg =
http://www.anachronic.com/xss/win32api.wmf
and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>
You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.
Merry Metafiling,
-ae
