Paul, Those file extensions correspond to scripts. If a file contains a script that runs when the file is double clicked, and the scripting engine is not sandboxed (meaning the script can do the same things an executable file can do) then the attack is meaningless. You can simply have the script inside the file do malicious things instead of planting a DLL.
Binary planting, regardless of the discussion about it being a "vulnerability" or not, in any case only makes sense when the file only contains static data, or when the file contains executable code that would normally not have the same privileges as a standard executable file. (A script that doesn't get executed when double clicking on it -for example if a text editor is opened instead- would be the same case as in a data file). I've never used .js or .jse scripts on Windows, but all the other extensions are patently not sandboxed scripts. In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. I'm guessing the same applies to .js and .jse then, and of course I wouldn't mind seeing proof that it doesn't. However the links you provided don't really prove anything (the first one even says "this is not a complete list", and I admit I've only glanced the second one but it seems unrelated, as it applies to file transfers on Microsoft Sharepoint). Planting a DLL file to be executed at the same time as other executable file is just a convoluted way of doing the same thing. It *may* be used in some strange, artificial situations, but I'm not convinced there aren't better ways to do it, and in any case it doesn't justify an advisory. And judging from what the timeline reads, I believe Microsoft simply ignored this one. I hope my explanation helped :) -Mario On Mon, Sep 5, 2011 at 12:54 AM, <paul.sz...@sydney.edu.au> wrote: > > Application: wscript.exe > > Extensions: js, jse, vbe, vbs, wsf, wsh > > Library: wshesn.dll > > Many people commented that the above extensions are "executable" > already, so are (should be) treated with caution, or that they > can be trojaned directly without any DLL load shenanigans. > > However... looking at > http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx > > http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx > I do not see JS listed as executable, though JSE is listed. > > Looking at > http://msdn.microsoft.com/en-us/library/ms722429.aspx > I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP > machine, none of the above extensions are "designated". > > Maybe DLL hijacking is useful for some of these file types, after all? > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
