[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe

To: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Subject: Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Thu, 17 Nov 2005 21:44:19 +0100

Dear Morning Wood,

As shown by the recent MZ header bypass, (most) AV "analyse" the header
to determine the Filetpye. I think extension based recognition is to be
considered outdated.

MW> I think the OP was getting at this being an AV bypass vector for worms and
MW> other malware that can interact with cmd.exe .
Hmm ok, but how can it interact when it doesn't execute using explorer.exe ? Is
the user going under Dos to execute it? How does that fit in the
scenario ?


-- 
http://secdev.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe
  - From: Peter Ferrie
- Re: [Full-disclosure] another filename bypass vulnerability - from cmd.exe
  - From: Hernán M. Racciatti
- Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
  - From: Morning Wood

Prev by Date: Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
Next by Date: RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool
Previous by thread: Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe
Next by thread: [Full-disclosure] Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'
Index(es):
- Date
- Thread