Re: WMF browser-ish exploit vectors

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: WMF browser-ish exploit vectors
From: "Dave Korn" <davek_throwaway@xxxxxxxxxxx>
Date: Tue, 3 Jan 2006 19:09:54 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <8654C851B1DAFA4FA18A9F150145F92502C16D7A@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: news <news@xxxxxxxxxxxxx>

Evans, Arian wrote in 
news:8654C851B1DAFA4FA18A9F150145F92502C16D7A@xxxxxxxxxxxxxxxxxxxxxxxxxx
> Here, let's make the rendering issue simple:
>
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

  Yeh, that's a real dumbass design feature that one.

> http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
>
> http://yourcorp_web_based_DMS/surprise_not_a.doc
>
> etc.


  Have you tried giving it a mpg/avi/wma/wmv extension and getting it to 
open in a (perhaps embedded) mediaplayer?  That's liable to work as well; 
mediaplayer is also vulnerable to the 
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content 
desynchronisation attack...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Follow-Ups:
- RE: WMF browser-ish exploit vectors
  - From: James C Slora Jr

References:
- WMF browser-ish exploit vectors
  - From: Evans, Arian

Prev by Date: Re: WTF??
Next by Date: Re: WMF Exploit
Previous by thread: Re: WMF browser-ish exploit vectors
Next by thread: RE: WMF browser-ish exploit vectors
Index(es):
- Date
- Thread