Thor I know you hang out on irc a lot so let me give you an example you can relate to, say you met this girl on irc you talk and she seems nice, now she offers to send you photo's of herself, If the zip file where to include an exe or html file naturaly you wouldn't open it, now ask yourself if it had a single dir called my.pics.folder, would you double click on it expecting she just zipped the whole dir. I would. So no it isn't not a vulnerability perse, He never claimed it was, But it's a very usefull social engineering trick, and I am thankfull to http-equiv for pointing it out since I would have been fooled by this. Also I honestly don't see why there should be such a beast as a .folder extention, is there any usefull purpose for it at all except for making files that aren't really folders apear as folders? you can probably just rename HKEY_CLASSES_ROOT\.Folder to HKEY_CLASSES_ROOT\.FolderSOME_RANDOM_STUFF to remove the association with the .folder I don't think it would cause any trouble but just in case it does you can always rename it back ----- Original Message ----- From: "Thor Larholm" <thor@pivx.com> To: <1@malware.com>; <bugtraq@securityfocus.com> Sent: Monday, January 26, 2004 7:14 PM Subject: RE: Self-Executing FOLDERS: Windows XP Explorer Part V > Why don't we call a spade a spade? You renamed an HTML file from "My > Pics.html" to "My Pics.Folder", it's still an HTML file and not a folder. > > In fact, except for the changed file extension this is simply just a repeat > of your previous post, "Self-Executing HTML: Internet Explorer 5.5 and 6.0 > Part IV", except that the ".Folder" file extension is new to Windows XP and > makes the file have a folder icon. > > When you open any file regardless of extension, Explorer tries to find the > proper application to open the file with. This involves inspecting the first > section of the files content and comparing it to a list of known signatures. > You can read about "MIME Type Detection in Internet Explorer" at > > http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp > > We already know that opening HTML files from the My Computer zone is > equivelant to opening an EXE file, given the executional rights provided by > the zone. The only solution to this is to lock down the My Computer zone > which I have been trying to advocate for some time now and Microsoft has now > promised to do in Service Pack 2 for Windows XP. > > > Regards > > Thor Larholm > Senior Security Researcher > PivX Solutions > 24 Corporate Plaza #180 > Newport Beach, CA 92660 > http://www.pivx.com > thor@pivx.com > Phone: +1 (949) 231-8496 > PGP: 0x5A276569 > 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 > > PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of > Qwik-Fix <http://www.qwik-fix.net> > > -----Original Message----- > From: http-equiv@excite.com [mailto:1@MALWARE.COM] > Sent: Sunday, January 25, 2004 8:51 AM > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: Self-Executing FOLDERS: Windows XP Explorer Part V > > > Sunday, January 25, 2004 > > > The following file is a 'folder' comprising both scripting and an executable > [*.exe]. > > We inject scripting and an executable into the 'folder' which is designed to > point back to the executable in the 'folder' and execute it. Provided the > 'folder' is an html file, Windows XP Explorer will execute it. > > Because it is an 'folder' proper, Windows Explorer opens it. The scripting > inside is then parsed and fired. That scripting is pointing back to the same > executable file and because it is a self-executing 'folder', it executes ! > > Fully self-contained harmless *.exe. > > Windows XP only: > > > http://www.malware.com/my.pics.zip > > > Be aware of 'folders' out there. > > > > -- > http://www.malware.com > > ----- > Editor's Note: The 43rd Most Powerful Person in Networking says... > > Out of Office replies to list messages cause you to be unsubscribed > automatically. Either subscribe a Public Folder, or ensure your rules are > set to ensure list messages are filtered prior to your Out of Office reply. > Such automatic replies are a bane to posters, and cause us to have fewer > researchers post to NTBugtraq. > ----- > >
