[Dshield] block unneeded file ext

Walter Dnes waltdnes at waltdnes.org
Sat Aug 18 23:26:05 GMT 2007

On Thu, Aug 16, 2007 at 09:23:43AM -0700, Darren Spruell wrote

> Thanks, didn't realize this was part of the other thread.
> Does anyone know advisory URL(s) this flaw (or similar ones?)


  Actually, if you Google on "sircam", you'll get 155,000 pages.  Back
in the days of Win9x, Windows' left hand didn't know what Windows' right
hand was doing.  The drill was like so...

  - Windows email (and Outlook Express) would check *THE FILE EXTENSION*
    against its "safe/unsafe" list.

  - If *THE FILE EXTENSION* was classified as "safe", e.g. mid or wav,
    Windows would proceed to "open" the file.

  - Windows' system dll's don't give a hoot about the extension, they
    check the file header and open it accordingly.

  - So take foo.exe and rename it to bar.wav.  Windows mail would flag
    the file as "safe", and pass it on to the dlls, which would look at
    the file header, decide it was really a .exe, and execute it... oops

  There was another similar stunt with Excel.  In older versions of
Excel, one bit in the file header was reserved to indicate whether or
not the file had macros, including "autoexec" macros.  The exploit
consisted of writing an Excel spreadsheet with a malicious autoexec
macro, saving the file and flipping off the "Contains Macros" bit in
the header.  Since the "Contains Macros" bit was off, Excel would open
the file without giving any warnings about "Contains Macros".

Walter Dnes <waltdnes at waltdnes.org> In linux /sbin/init is Job #1
Q. Mr. Ghandi, what do you think of Microsoft security?
A. I think it would be a good idea.

More information about the list mailing list