<<< Date Index >>>     <<< Thread Index >>>

Re: WMF browser-ish exploit vectors



Evans, Arian wrote:

> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

This is what MS stupidly calls "MIME type detection" -- ferrcrissakes, 
MIME Type is _defined_ by the server (or MIME headers in Email, etc) so 
there is no such thing as "MIME Type detection"; you are either told it 
by the server (message's MIME headers, etc) or you are not.

MS' other name for this -- "data sniffing" -- describes the process 
rather than the function.  It is file format detection.

Anyway, a (given MS' past, probably partial/incomplete) listing of such 
things and an outline of the logic IE employs in doing this is:

MIME Type Detection in Internet Explorer

http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
a.asp

> Windows Explorer/My Computer preview/thumbnail thingy=IE
> for purposes of rendering engine.
<<snip>>

Yep.

> Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
> candy is a JPEG also renamed doc, and win32api is a JPEG
> renamed to wmf. Mix and match to your hearts content. <obvious>
<<snip>>

A problem with the above, IE-specific description of "data sniffing", 
is that in the Explorer context (and some other "shell" contexts, and 
these vary in different versions of Windows) some other forms of format 
detection are also employed (rename a .EXE, or any kind of OLE2 format 
file, to an unregistered extension and start playing around...).

Also, don't forget the embedding of one kind of file into another, such 
as shell scraps (.SHS/.SHB), other OLE2 formats (Word, Excel, etc, etc) 
and so on.


Regards,

Nick FitzGerald