[Full-disclosure] Binary Planting Goes "Any File Type"
mitja.kolsek at acrossecurity.com
Sat Jul 9 15:37:37 BST 2011
Hi Mario -
> Actually you *can* launch an executable that way, if you add a couple
> more clicks afterwards, or you right click on the file and choose a
> non default menu option. It's no more ridiculous than any other social
> engineering that requires people to hit a hotkey they probably never
> heard of and browse all the way to your malicious file...
This example merely provided one of possible alternatives to double-clicking a file, which I understood was one of Dan's major objections. Yes the example was over the top but also yes, it would work against some users who otherwise wouldn't double-click on a file. Attackers care about that.
Sure these attacks require some social engineering, but the research is not over. I'd like to refer you to http://blog.acrossecurity.com/2011/06/com-server-based-binary-planting-proof.html?m=1 for an example of how further research can reduce social engineering to mere visiting of malicious web page and two clicks on links on that page.
> IMHO what you're reporting is a great way to improve social
> engineering attacks. But you should flag it as such rather than
> calling it a 0day just for the sake of the fancy word. This is not a
> demerit of your work in any way, it's just a matter of using the
> proper vocabulary.
I fail to find the word "0day" in the blog post or my emails. Am I missing something?
> On Sat, Jul 9, 2011 at 1:11 AM, Mitja Kolsek
> <mitja.kolsek at acrossecurity.com> wrote:
>> Ok, Dan, just for you:
>> Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?
>> On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan at doxpara.com> wrote:
>>> And here's where your exploit stops being one:
>>> Suppose the current version of Apple Safari (5.0.5) is our default web
>>> browser. If we put the above files in the same directory (on a local
>>> drive or a remote share) and double-click Test.html, what happens is
>>> the following:
>>> At this point, Test.html might actually be test.exe with the HTML icon
>>> embedded. Everything else then is unnecessary obfuscation -- code
>>> execution was already possible the start by design.
>>> This is a neat vector though, and it's likely that with a bit more
>>> work it could be turned into an actual RCE.
>>> On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists <lists at acros.si> wrote:
>>>> We published a blog post on a nice twist to binary planting which we call "File
>>>> Planting." There'll be much more of this from us in the future, but here's the first
>>>> sample for you to (hopefully) enjoy.
>>>> Best regards,
>>>> Mitja Kolsek
>>>> ACROS, d.o.o.
>>>> Makedonska ulica 113
>>>> SI - 2000 Maribor, Slovenia
>>>> tel: +386 2 3000 280
>>>> fax: +386 2 3000 282
>>>> web: http://www.acrossecurity.com
>>>> blg: http://blog.acrossecurity.com
>>>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> “There's a reason we separate military and the police: one fights the
> enemy of the state, the other serves and protects the people. When the
> military becomes both, then the enemies of the state tend to become
> the people.”
Full-Disclosure is hosted and sponsored by Secunia.