Do You Trust Known File Extensions?

Discussion in 'other security issues & news' started by Rmus, Dec 4, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The Bearshare thread brought up some scenarios about file extensions.

    An interesting test by Andrey Bayora of securityelf.org and Wayne Langlois of DiamondCS shows how a file extension
    isn't always what it appears to be.

    They crafted a test file to execute as either .exe, .html, or .eml. From the securityelf site:
    ___________________________________________________________
    Here is the Triple Headed program which has 3 different 'execution entry points', depending on the extension
    of the file (exe, html or eml) – just change the extension and the SAME file will be executed by
    (at least) THREE DIFFERENT programs!

    The original description of this program by Wayne Langlois:

    It's essentially a three-way hybrid: some HTML inside an EML which is inside an EXE. I used a HTML email
    rather than plaintext so that I could hide the HTML.

    Run it as a .EXE file and you get a msgbox "Hello from the EXE component!"

    Run it as a .EML file and you get a normal looking email with the message text "This is the text
    that will be seen when viewed as a .EML"

    Run it as a .HTM file and you'll get a vbscript msgbox coming from
    the HTML that says "Hello from the HTML component!". Youll also see a lot of other garbage from the file
    being displayed on-screen but it's not really an issue because by that time the VBScript has already executed.
    So essentially we have 1 file which has 3 different 'execution entrypoints', depending on the extension of the file.
    _________________________________________

    Suppose this file came zipped/attached to an email from someone you knew, saying it was a forwarded email message.

    The file inside has a non-executable email file extension.

    However, Wormguard (script blocker) recognized that it contained a script:

    http://www.rsjones.net/img/magicbyte_4.gif
    ________________________________

    Anti-Executable (White List program) flagged it:

    http://www.rsjones.net/img/magicbyte_0.gif
    ________________________________

    What would you do next?

    1) Open it anyway - it's probably a false positive

    2) Delete it

    3) Email/Phone the sender about it

    4) Run it through a file scanner

    5) Other _________________



    I permitted the file to extract and ran it with each of the 3 file extensions per their test.

    The content of the files is harmless, but could have executed malicious code:


    http://www.rsjones.net/img/magicbyte_1.gif
    ________________________________________

    http://www.rsjones.net/img/magicbyte_2.gif
    ________________________________________

    http://www.rsjones.net/img/magicbyte_3.gif_______________________________________


    Here is the test file if you would like to try it. It's perfectly safe:

    http://www.securityelf.org/files/exe_html_eml.zip

    Full article at

    http://www.securityelf.org/magicbyte.html

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hi,
    As a rule, regardless of a sender, I never open files from anyone if they have the extensions: exe, scr, html, chm, etc. I even dislike doc and xls. And if people want to send me documents, music, pictures or whatever, I want them to notify me about it, otherwise, I'll just delete them.
    Mrk
     
  3. RipVanTinkle

    RipVanTinkle Registered Member

    Joined:
    Oct 20, 2005
    Posts:
    102
    same as Mrkvonic
    If I don't know the sender it gets deleted
    If I'm unsure I'll contact the known sender to double check
    NEVER open an email attachment ;)
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Same as Mrkvonic and RipVanTinkle.
    I don't even open my spam-emails, not even when they have seducing subject line.
    Why would I pay any attention at the bad guys ? They don't deserve it.

    I don't even like the attention the bad guys get in the media. Don't make these guys famous. Ignore them and act like they don't even exist.

    I don't even like softwares that collect malware definitions or websites of the bad guys. It looks like these softwares love the bad guys and collect their stuff as treasures. I would never run after a horse to collect its droppings.
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Thanks for that Rmus, it's very interesting. You've highlighted a hole in my setup.

    I tried it because I wanted to see what would happen with my Software Restriction Policy and also with Process Guard.

    When the file was a .exe both SRP and PG blocked it. When the file was either .html or .eml it was able to run whether SRP or PG was active.

    To get around it, I had to set Outlook Express and Internet Explorer as my default e-mail client and browser and block them from running (IE was already blocked but not set as my default browser).

    Fortunately for me I use different programmes for e-mail and browsing. If I didn't, I think I'd be a bit stuck.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi SpikeyB,

    This was my principal interest in this test. Both Wormguard and Anti-Executable alert to all three of those file extensions. Wormguard analyzes the source code to check for hostile scripts. Anti-Executable does a similar analysis, doing a check of the file for executable code. This, regardless of the file extension.

    It would be interesting if users with On-line Armor and other such programs would run this test and report back their findings.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. Is that really surprising or a big security hole?

    I mean if you associate a file extension with a program and you allow that program to always start, obviously you won't get an alert.

    In most cases, you don't care anyway, because the file extension is of a type that doesn't do anything except display data, txt for example.

    In the case of html, the default browser will open it, there is some 'danger' because of scripts in html, but then again you spend your time surfing the net running scripts too and most probably you have already a setting in place which you think gives you your preferred trade off of functionality versus security in place anyway.People with IE defaults might want to tighten up their mycomputer zone though.

    I suppose the danger comes from window scripts like WS, WSF, JS, VBS, VB, VBE, which do something and don't seem to have any settings, but even for those
    when i click on them I get an alert that wscript.exe wants to start? So there is a warning. Unless you set that to always start of course.

    I mean if you *always* want to know when a file launches an app, you jcould ust use something like scriptdefender, then add in all the extensions in use.

    For example

    I noticed that clicking on eml starts Outlook. Eml files seems to be harmless, but if you don't like eml files starting outlook without permission, just add eml to the extension list monitored by scriptdefender. The next time you run eml files, scriptdefender will prompt.

    Whether this adds security i don't know. I supposed i could go through the whole list of programs with associations and add them to scriptdefender, but what's the point?

    Or am I missing something?
     
  8. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    It was to me. I thought that if I changed a .exe extension to .html or .eml then I would get a message along the lines of cannot run invalid/unspecified file type.

    Hey, I'm trying to reduce the number of security apps not increase it. Don't worry, I'm going to live with the hole.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You would if all of your executables are White Listed. Then, if you received an .eml, or any filetype that can execute code, it would be blocked if it contained such code, as the test example shows.

    http://www.rsjones.net/img/eml.gif


    If it didn't contain executable code, the .eml would open in Outlook Express with no alert.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  10. Please help me understand, Remus. You understand so much.

    If the file came in .eml, running it would be harmless yes?

    And if you renamed it to .exe and ran it, it could do evil but PG would alert as usual?

    If you renamed it to html, PG wouldn't alert if you whitelisted your browser? But in that case, even it couldn't do anything if you had tight browser settings to handle scripts and at worse it would be just like running a webpage.

    Could you explain to me where the danger lies?
    Please tell me where I'm wrong, or where i'm myopic.
    Am I typing rubbish?

    I thought the file trick here was used against scanners which use file content/headers to determine file extensions, but when we click on something it use file associations which don't care about the file content but merely try to run it based on the actual extension.


    Oh no, that is surprising, a clever trick, but ultimately not dangerous? what's I'm referrering to is the following

    That is not supriring, it simply means you whitelisted whatever is associated with html and eml.

    And that is not harmful in most cases.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You would assume so, yes. Outlook runs the file as soon as you d-click on it. But the test file showed that it is possible to insert executable code inside the .eml message. When Outlook opens the file, the code either executes, or is blocked from doing so by another means. The test message displays text, but it could have been a command to execute something.

    You refer to SpikeyB's comment:

    and you write

    SpikeyB's results show that not all White Lists are created equal, that his Windows Software Restriction Policy and Process Guard protection look at file extensions and not the code of the file. Otherwise, they would block the file from running no matter what the file extension.

    Anti-Executable, on the other hand, blocks the file from running no matter what the file extension is, because it sees executable code in the file. When AE installs, it creates a White List of all executables on the system; it looks at every file, no matter the extension, looking for executable code.

    WormGuard also analyzes files, looking for scripts. When I tested that file, WG blocked even when the file extension was .exe because the file contained a script.

    The test file contains both executable code, and script. Both AE and WG effectively alert with all three file extensions.

    It would be interesting to see results of this test from those using HIPS products such as Online Armor, Anti-hook, etc.


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  12. When it opens eml, in outlook express, it just displays text. Isn't this exactly what is expected? Even without that trick file?

    Am i wrong?

    This is what confuses me. Yes, they look at file extensions, which is exactly why they are not affected. If you read the page, it is an exploit meant to be used against scanners that try to determine file content by looking at file headers.

    If your tool doesn't care about it, and goes strictly by file extension, there should be no effect. Running a file ending with txt with notepad for example isn't going to hurt you if it is actually an exe file.

    Or am I wrong?
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Except that it's not executing the actual executable code, it's executing the VBS script.. take a look at the titlebar in the screenshot of be dialog saying "Hello from the HTML component!" (also note that it doesn't say "Hello from the exe component") this isn't any different than any other dangrous HTML containing an embedded script. Script blockers like RegRun's RunGuard run at the DLL level to catch just these kinds of scripts.

    In order for this file to launch executable code, you need to rename the file to an .exe. The attacker would need to convince the user to change the extension of the file. This leaves us in the same place as files with double extensions, except that the file can bypass any gateway or html/pop3 file scanner, just as double extensions once did with AVs (according to this article). Once it tried to run as an executable, however, your AV should pick it up just the same. There's nothing about this program that will make your browser run binary executable code embedded inside the document, or bypass execution blockers, or do anything else your browser is not designed to do without using another exploit.. in fact the rest of the garbage you see in the browser is what the browser does with that executable code.

    Since those apps don't handle scripts, they wouldn't catch the script. They would, however, catch the executable if you ran it as such.

    As far as I can see, that's the only thing that's new here, and doesn't change anything else. That has some potentially serious consequences, but I don't think it's what's being reffered to here.


    That's only one example of what's being shown here, though. If you want to plug the hole (of being able to run embedded scripts), you would either need to set restrictions on the scripting hosts or get something like RegRun or WormGuard. Since you've already got software restrictions in place, it would be best to just restrict the scripting hosts, this would also prevent anything potentially bypassing any script blocker or restrictions on script files, and may block future exploits that may be found to make your system execute scripts any other way (such as another IE exploit that executes arbitrary code).
     
    Last edited: Dec 7, 2005
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK - you win.

    I realize that the files other than the .exe wouldn't run that type of code, but my point was that anti-execution products should detect executable code in any file no matter what the extension.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

  15. Hey Remus when you said "You win" Who are you talking about? Notok or Me?
    Or do we both win?

    Notok, do you disagree or agree with me?

    Er why? There is no danger at all.
     
  16. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    hmmm... good ol WormGuard, stopped the exehtmleml.exe.html.exe and exehtmleml.exe but Online Armor stopped the exehtmleml_1.exe one first.

    TAS
     

    Attached Files:

    • 034.GIF
      034.GIF
      File size:
      15.1 KB
      Views:
      172
    Last edited: Dec 8, 2005
Loading...
Thread Status:
Not open for further replies.