[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe

To: <Full-Disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Date: Thu, 17 Nov 2005 12:38:08 -0800

I think the OP was getting at this being an AV bypass vector for worms and
other malware that can interact with cmd.exe .
Theroy being that AV will scan by extention ( malware.exe vs malware.ext )
and thus evade detection but yet be executeable.
In light, informal testing this appears to be a realistic scenario that
provides yet another vector for AV bypass. On test systems,
"c:\>malware.exe.txt" runs the malware.exe, and does not open notepad. (
cmd.exe parses the file header, explorer.exe uses .extention )
my2bits,
MW
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
  - From: Thierry Zoller

References:
- Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe
  - From: Peter Ferrie
- Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe
  - From: Hernán M. Racciatti

Prev by Date: Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe
Next by Date: Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
Previous by thread: Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe
Next by thread: Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
Index(es):
- Date
- Thread