Hi Mario - > Actually you *can* launch an executable that way, if you add a couple > more clicks afterwards, or you right click on the file and choose a > non default menu option. It's no more ridiculous than any other social > engineering that requires people to hit a hotkey they probably never > heard of and browse all the way to your malicious file...
This example merely provided one of possible alternatives to double-clicking a file, which I understood was one of Dan's major objections. Yes the example was over the top but also yes, it would work against some users who otherwise wouldn't double-click on a file. Attackers care about that. Sure these attacks require some social engineering, but the research is not over. I'd like to refer you to http://blog.acrossecurity.com/2011/06/com-server-based-binary-planting-proof.html?m=1 for an example of how further research can reduce social engineering to mere visiting of malicious web page and two clicks on links on that page. > IMHO what you're reporting is a great way to improve social > engineering attacks. But you should flag it as such rather than > calling it a 0day just for the sake of the fancy word. This is not a > demerit of your work in any way, it's just a matter of using the > proper vocabulary. I fail to find the word "0day" in the blog post or my emails. Am I missing something? Cheers, Mitja > > On Sat, Jul 9, 2011 at 1:11 AM, Mitja Kolsek > <[email protected]> wrote: >> Ok, Dan, just for you: >> >> Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), >> go to File->Open (or press Ctrl+O), browse to Test.html and open it. No >> double-clicking and you couldn't launch an executable this way. Better? >> >> Cheers, >> Mitja >> >> On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <[email protected]> wrote: >> >>> And here's where your exploit stops being one: >>> >>> === >>> Suppose the current version of Apple Safari (5.0.5) is our default web >>> browser. If we put the above files in the same directory (on a local >>> drive or a remote share) and double-click Test.html, what happens is >>> the following: >>> === >>> >>> At this point, Test.html might actually be test.exe with the HTML icon >>> embedded. Everything else then is unnecessary obfuscation -- code >>> execution was already possible the start by design. >>> >>> This is a neat vector though, and it's likely that with a bit more >>> work it could be turned into an actual RCE. >>> >>> On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists <[email protected]> >>> wrote: >>>> >>>> We published a blog post on a nice twist to binary planting which we call >>>> "File >>>> Planting." There'll be much more of this from us in the future, but here's >>>> the first >>>> sample for you to (hopefully) enjoy. >>>> >>>> http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html >>>> >>>> or >>>> >>>> http://bit.ly/nXmRFD >>>> >>>> >>>> Best regards, >>>> >>>> Mitja Kolsek >>>> CEO&CTO >>>> >>>> ACROS, d.o.o. >>>> Makedonska ulica 113 >>>> SI - 2000 Maribor, Slovenia >>>> tel: +386 2 3000 280 >>>> fax: +386 2 3000 282 >>>> web: http://www.acrossecurity.com >>>> blg: http://blog.acrossecurity.com >>>> >>>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > “There's a reason we separate military and the police: one fights the > enemy of the state, the other serves and protects the people. When the > military becomes both, then the enemies of the state tend to become > the people.” > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
