Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsoft Help Files (.CHM): 'Locked File' Feature Bypass
From: Paul Craig <paul.craig () security-assessment com>
Date: Thu, 24 Jun 2010 08:03:07 +1200

Hey Thor, everything is well mate.

Firstly I think you may have missed the context of this bug, which was not apparent from my first post.
I spend a lot of time working on the security of internet Kiosks, Citrix terminals and other thin-clients.
In these situations, users are often blocked from downloading file types from remote sites, however CHM files are 
typically not blocked.
I had been playing with using a malicious help file for a while, but found the "blocked" feature essentially stopped me 
from launching anything.

When this trick is combined into the mix, shells appear on many kiosk platforms.
Yes you have to Agree to the dialog box, but when you're the one on the Kiosk/Citrix this is hardly a problem.
This is not a typical attack vector, and likely one you didn't think of, but I didn't want to get into that in my first 
post and simply detail an interesting 'trick' I found.

As for Microsoft's response.
It was exactly as I expected, as simple as that, this is a low severity issue that does not warrant an immediate "stop 
the press" fix.
Why does everyone want to read sarcasm and back-handedness in every post ?

I also appreciate that you appear to know geography and mention Australia several times in your post, great one, but I 
am from New Zealand.
You might want to look it up on Gmaps some time, it's a separate country
How's the weather in Mexico anyway?

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]