Here, let's make the rendering issue simple:

Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.

Windows Explorer/My Computer preview/thumbnail thingy=3DIE
for purposes of rendering engine.

Stocking Stuffer Sploit-use Samples:

http://sharepoint2003/bizdir/your_custom_folder_icon.jpg

http://yourcorp_web_based_DMS/surprise_not_a.doc

etc.

For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:

http://www.anachronic.com/xss/

Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>

http://www.anachronic.com/xss/skatebrd.wmf =3D
http://www.anachronic.com/xss/statebrd.jpg

and

http://www.anachronic.com/xss/win32api.jpg =3D
http://www.anachronic.com/xss/win32api.wmf

and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>

You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.

Merry Metafiling,

-ae

Evans, Arian wrote:

> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

This is what MS stupidly calls "MIME type detection" -- ferrcrissakes,
MIME Type is _defined_ by the server (or MIME headers in Email, etc) so
there is no such thing as "MIME Type detection"; you are either told it
by the server (message's MIME headers, etc) or you are not.

MS' other name for this -- "data sniffing" -- describes the process
rather than the function. It is file format detection.

Anyway, a (given MS' past, probably partial/incomplete) listing of such
things and an outline of the logic IE employs in doing this is:

MIME Type Detection in Internet Explorer

http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
a.asp

> Windows Explorer/My Computer preview/thumbnail thingy=IE
> for purposes of rendering engine.
<<snip>>

Yep.

> Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
> candy is a JPEG also renamed doc, and win32api is a JPEG
> renamed to wmf. Mix and match to your hearts content. <obvious>
<<snip>>

A problem with the above, IE-specific description of "data sniffing",
is that in the Explorer context (and some other "shell" contexts, and
these vary in different versions of Windows) some other forms of format
detection are also employed (rename a .EXE, or any kind of OLE2 format
file, to an unregistered extension and start playing around...).

Also, don't forget the embedding of one kind of file into another, such
as shell scraps (.SHS/.SHB), other OLE2 formats (Word, Excel, etc, etc)
and so on.


Regards,

Nick FitzGerald

Evans, Arian wrote in
news:8654C851B1DAFA4FA18A9F150145F92502C16D7A@fnex 01.fishnetsecurity.com
> Here, let's make the rendering issue simple:
>
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web
> exploitation, and IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

Yeh, that's a real dumbass design feature that one.

> http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
>
> http://yourcorp_web_based_DMS/surprise_not_a.doc
>
> etc.


Have you tried giving it a mpg/avi/wma/wmv extension and getting it to
open in a (perhaps embedded) mediaplayer? That's liable to work as well;
mediaplayer is also vulnerable to the
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content
desynchronisation attack...


cheers,
DaveK
--
Can't think of a witty .sigline today....

Dave Korn wrote

> Have you tried giving it a mpg/avi/wma/wmv extension and getting
> it to open in a (perhaps embedded) mediaplayer? That's liable to
> work as well; mediaplayer is also vulnerable to the
>
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content
> desynchronisation attack...

I have seen at least one cached .wmz (Windows Media Player Skin) file
trigger AV alerts for the WMF exploit (Symantec Bloodhound.Exploit.56) after
having been opened in WMP10.