I agree, in some remote scenario this may work, but doesn't justify an advisory.
Off-topic: First Insect PRO, and now this? What's happening fellow Latin-americans? our standards are falling. Please behave, this is the Internet! On 09/05/2011 07:33 AM, Mario Vilas wrote: > Paul, > > Those file extensions correspond to scripts. If a file contains a script > that runs when the file is double clicked, and the scripting engine is not > sandboxed (meaning the script can do the same things an executable file can > do) then the attack is meaningless. You can simply have the script inside > the file do malicious things instead of planting a DLL. > > Binary planting, regardless of the discussion about it being a > "vulnerability" or not, in any case only makes sense when the file only > contains static data, or when the file contains executable code that would > normally not have the same privileges as a standard executable file. (A > script that doesn't get executed when double clicking on it -for example if > a text editor is opened instead- would be the same case as in a data file). > > I've never used .js or .jse scripts on Windows, but all the other extensions > are patently not sandboxed scripts. In fact, the Windows Script Host > software is mostly used to write system maintenance scripts, so it's obvious > its scripts can't be restricted or they'd be useless. I'm guessing the same > applies to .js and .jse then, and of course I wouldn't mind seeing proof > that it doesn't. However the links you provided don't really prove anything > (the first one even says "this is not a complete list", and I admit I've > only glanced the second one but it seems unrelated, as it applies to file > transfers on Microsoft Sharepoint). > > Planting a DLL file to be executed at the same time as other executable file > is just a convoluted way of doing the same thing. It *may* be used in some > strange, artificial situations, but I'm not convinced there aren't better > ways to do it, and in any case it doesn't justify an advisory. And judging > from what the timeline reads, I believe Microsoft simply ignored this one. > > I hope my explanation helped :) > -Mario > > On Mon, Sep 5, 2011 at 12:54 AM, <paul.sz...@sydney.edu.au> wrote: > >>> Application: wscript.exe >>> Extensions: js, jse, vbe, vbs, wsf, wsh >>> Library: wshesn.dll >> >> Many people commented that the above extensions are "executable" >> already, so are (should be) treated with caution, or that they >> can be trojaned directly without any DLL load shenanigans. >> >> However... looking at >> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx >> >> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx >> I do not see JS listed as executable, though JSE is listed. >> >> Looking at >> http://msdn.microsoft.com/en-us/library/ms722429.aspx >> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP >> machine, none of the above extensions are "designated". >> >> Maybe DLL hijacking is useful for some of these file types, after all? >> >> Cheers, Paul >> >> Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ >> School of Mathematics and Statistics University of Sydney Australia >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
