Re: WMF browser-ish exploit vectors
Evans, Arian wrote:
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.
This is what MS stupidly calls "MIME type detection" -- ferrcrissakes,
MIME Type is _defined_ by the server (or MIME headers in Email, etc) so
there is no such thing as "MIME Type detection"; you are either told it
by the server (message's MIME headers, etc) or you are not.
MS' other name for this -- "data sniffing" -- describes the process
rather than the function. It is file format detection.
Anyway, a (given MS' past, probably partial/incomplete) listing of such
things and an outline of the logic IE employs in doing this is:
MIME Type Detection in Internet Explorer
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
a.asp
> Windows Explorer/My Computer preview/thumbnail thingy=IE
> for purposes of rendering engine.
<<snip>>
Yep.
> Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
> candy is a JPEG also renamed doc, and win32api is a JPEG
> renamed to wmf. Mix and match to your hearts content. <obvious>
<<snip>>
A problem with the above, IE-specific description of "data sniffing",
is that in the Explorer context (and some other "shell" contexts, and
these vary in different versions of Windows) some other forms of format
detection are also employed (rename a .EXE, or any kind of OLE2 format
file, to an unregistered extension and start playing around...).
Also, don't forget the embedding of one kind of file into another, such
as shell scraps (.SHS/.SHB), other OLE2 formats (Word, Excel, etc, etc)
and so on.
Regards,
Nick FitzGerald