[Esd-l] Triple extension exploit

John D. Hardin jhardin at impsec.org
Fri Jan 31 20:20:49 PST 2003

On Thu, 30 Jan 2003, Robert Trebula wrote:

> if I understand this right, the file named 
> "malware.JPG              .EXE                  .JPG" 
> will show up in outlook as "malware.JPG ..." and will be executed
> as .exe file (I guess windows will treat it as .exe not because of
> the middle .EXE extension but based on its content, am I right?)

My first reply to the announcement bounced.

The article says "carefully crafted", so I assume it means you have to
hit a buffer boundary or some such so that the .EXE appears last at
some point in processing.

> What about adding a rule like "s/\s+/ /g" to sanitizer to change
> the attachment name to "malware.JPG .EXE .JPG" ?

The current sanitizer does collapse spaces in the first phase of
long-filename sanitization, so I expect that if the filename is long
enough to tickle the bug, it'll be shortened by the sanitizer and no
longer be "carefully crafted".

Has anybody seen this in the wild, and if so, can I have a sample?

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
   641 days until the Presidential Election

More information about the esd-l mailing list