WMF browser-ish exploit vectors
Here, let's make the rendering issue simple:
Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.
Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.
Stocking Stuffer Sploit-use Samples:
http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
http://yourcorp_web_based_DMS/surprise_not_a.doc
etc.
For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:
http://www.anachronic.com/xss/
Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>
http://www.anachronic.com/xss/skatebrd.wmf =
http://www.anachronic.com/xss/statebrd.jpg
and
http://www.anachronic.com/xss/win32api.jpg =
http://www.anachronic.com/xss/win32api.wmf
and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>
You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.
Merry Metafiling,
-ae