Re: Self-Executing FOLDERS: Windows XP Explorer Part V
Thor I know you hang out on irc a lot so let me give you an example you can
relate to, say you met this girl on irc you talk and she seems nice, now
she offers to send you photo's of herself, If the zip file where to include
an exe or html file naturaly you wouldn't open it, now ask yourself if it
had a single dir called my.pics.folder, would you double click on it
expecting she just zipped the whole dir. I would. So no it isn't not a
vulnerability perse, He never claimed it was, But it's a very usefull
social engineering trick, and I am thankfull to http-equiv for pointing it
out since I would have been fooled by this. Also I honestly don't see why
there should be such a beast as a .folder extention, is there any usefull
purpose for it at all except for making files that aren't really folders
apear as folders?
you can probably just rename
HKEY_CLASSES_ROOT\.Folder
to
HKEY_CLASSES_ROOT\.FolderSOME_RANDOM_STUFF
to remove the association with the .folder I don't think it would cause any
trouble but just in case it does you can always rename it back
----- Original Message -----
From: "Thor Larholm" <thor@xxxxxxxx>
To: <1@xxxxxxxxxxx>; <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Monday, January 26, 2004 7:14 PM
Subject: RE: Self-Executing FOLDERS: Windows XP Explorer Part V
> Why don't we call a spade a spade? You renamed an HTML file from "My
> Pics.html" to "My Pics.Folder", it's still an HTML file and not a folder.
>
> In fact, except for the changed file extension this is simply just a
repeat
> of your previous post, "Self-Executing HTML: Internet Explorer 5.5 and 6.0
> Part IV", except that the ".Folder" file extension is new to Windows XP
and
> makes the file have a folder icon.
>
> When you open any file regardless of extension, Explorer tries to find the
> proper application to open the file with. This involves inspecting the
first
> section of the files content and comparing it to a list of known
signatures.
> You can read about "MIME Type Detection in Internet Explorer" at
>
>
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
>
> We already know that opening HTML files from the My Computer zone is
> equivelant to opening an EXE file, given the executional rights provided
by
> the zone. The only solution to this is to lock down the My Computer zone
> which I have been trying to advocate for some time now and Microsoft has
now
> promised to do in Service Pack 2 for Windows XP.
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor@xxxxxxxx
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net>
>
> -----Original Message-----
> From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx]
> Sent: Sunday, January 25, 2004 8:51 AM
> To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Self-Executing FOLDERS: Windows XP Explorer Part V
>
>
> Sunday, January 25, 2004
>
>
> The following file is a 'folder' comprising both scripting and an
executable
> [*.exe].
>
> We inject scripting and an executable into the 'folder' which is designed
to
> point back to the executable in the 'folder' and execute it. Provided the
> 'folder' is an html file, Windows XP Explorer will execute it.
>
> Because it is an 'folder' proper, Windows Explorer opens it. The scripting
> inside is then parsed and fired. That scripting is pointing back to the
same
> executable file and because it is a self-executing 'folder', it executes
!
>
> Fully self-contained harmless *.exe.
>
> Windows XP only:
>
>
> http://www.malware.com/my.pics.zip
>
>
> Be aware of 'folders' out there.
>
>
>
> --
> http://www.malware.com
>
> -----
> Editor's Note: The 43rd Most Powerful Person in Networking says...
>
> Out of Office replies to list messages cause you to be unsubscribed
> automatically. Either subscribe a Public Folder, or ensure your rules are
> set to ensure list messages are filtered prior to your Out of Office
reply.
> Such automatic replies are a bane to posters, and cause us to have fewer
> researchers post to NTBugtraq.
> -----
>
>