[Esa-l] Double clicking on innocent looking files may be dangerous (fwd)

John D. Hardin jhardin at wolfenet.com
Thu Apr 19 16:24:06 PDT 2001 

Also http://www.sarc.com/avcenter/venc/data/vbs.postcard@mm.html

Sigh. It looks like 1.130 will be out sooner than I had expected.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  An entitlement beneficiary is a person or special interest group
  who didn't earn your money, but demands the right to take your
  money because they *want* it.
                                  -- John McKay, _The Welfare State:
                                     No Mercy for the Middle Class_
-----------------------------------------------------------------------
   1293 days until the Presidential Election

---------- Forwarded message ----------
Date: Mon, 16 Apr 2001 17:23:51 +0300
From: Georgi Guninski <guninski at GUNINSKI.COM>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Double clicking on innocent looking files may be dangerous

Georgi Guninski security advisory #42, 2001

Double clicking on innocent looking files may be dangerous

Systems affected:
Windows Explorer, Internet Explorer - Windows 98, 2000 - when browsing
directories or shares

Risk: High
Date: 16 April 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute
it unmodified.
You may not modify it and distribute it or distribute parts of it
without the author's
written permission.

Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false.
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.


Description:

By double clicking from Window Explorer or Internet Explorer on
filenames with innocent
extensions the user may be tricked to execute arbitrary programs.


Details:
If the file extension is certain CLSID e.g.:
testhta.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
then Windows explorer and IE do not show the CLSID and only the .txt
extension,
while the above file is in fact .hta file.
Some exploit scenarios include leaving such malicous files on shared
resources or
sending them in archive by email.

Workaround: Do not doubleclick from Windows Explorer or Internet
Explorer

Demonstration:
http://www.guninski.com/testhta1.zip

Vendor status:
Microsoft was informed on 11 April 2001

Regards,
Georgi Guninski
http://www.guninski.com

More information about the esd-l mailing list