It happens that Bast formulated :
>
> FromTheRafters wrote:
>> Bast wrote on 10/14/2012 :
>>>
>>> FromTheRafters wrote:
>>>> Bast brought next idea :
>>>>>
>>>>> FromTheRafters wrote:
>>>>>> Bast expressed precisely :
>>>>>>>
>>>>>>> FromTheRafters wrote:
>>>>>>>> Bast submitted this idea :
>>>>>>>>>
>>>>>>>>> Virus Guy wrote:
>>>>>>>>>> "David H. Lipman" wrote:
>>>>>>>>>>
>>>>>>>>>>>>> It it even possible that when launched from a media-player
>>>>>>>>>>>>> (such as VLC) that there exists a class of avi, mp3, flac
>>>>>>>>>>>>> (etc) malware that can leverage a player vulnerability and
>>>>>>>>>>>>> cause it to run arbitrary code?
>>>>>>>>>>>>
>>>>>>>>>>>> Yes.
>>>>>>>>>>>>
>>>>>>>>>>>> Some specific players could be tricked into visiting a
>>>>>>>>>>>> maliciously formed website embedded in the id3tags.
>>>>>>>>>>
>>>>>>>>>>>> The Wimad trojan
>>>>>>>>>>
>>>>>>>>>> So basically these boil down to browser exploits. A URL
>>>>>>>>>> launched from Windoze Media Player is still a browser exploit.
>>>>>>>>>>
>>>>>>>>>> And they're not even exploits - they depend on user action in
>>>>>>>>>> the browser to allow what-ever operation they're trying to
>>>>>>>>>> accomplish (ie - social engineering).
>>>>>>>>>>
>>>>>>>>>> What I'm asking about is a media file that upon playing can
>>>>>>>>>> cause any media player to run arbitrary code WITHOUT NEEDING
>>>>>>>>>> THE USER'S HELP, and thereby cause the user's system to
>>>>>>>>>> download secondary payloads,
>>>>>>>>>> change registry settings, etc. All without enlisting the
>>>>>>>>>> system's web-browser. Has there ever been a media file (mp3,
>>>>>>>>>> avi, flac, etc) that could
>>>>>>>>>> accomplish that?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Nope, not if a user has file types set.
>>>>>>>>>
>>>>>>>>> An exploit in widows can allow renaming a file extension from say
>>>>>>>>> .exe to .mov
>>>>>>>>> Or naming it with no extension at all.
>>>>>>>>> And windows was stupid enough to recognize it as an .exe despite
>>>>>>>>> the extension, and run it as such.
>>>>>>>>
>>>>>>>> Er, what is stupid is relying on the extension to mean anything.
>>>>>>>> Now, it is usually the actual format of the file that tells the OS
>>>>>>>> what it really is and how it should be handled.
>>>>>>>>>
>>>>>>>>> But that is almost impossible now, unless users manually allow
>>>>>>>>> that.
>>>>>>>>
>>>>>>>> Don't trust names to have any meaning, that goes for extensions
>>>>>>>> too.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The whole point is if you set your system to specific applications
>>>>>>> for certain extensions,.....you can't run into too many problems if
>>>>>>> say a file with .mov or .avi, that is really a malware type
>>>>>>> .exe,.... automatically is opened by a video player, all it will
>>>>>>> do is choke and throw an error without doing any damage.
>>>>>>>
>>>>>>> Let windows decide on it's own how to run it and you are begging
>>>>>>> for problems
>>>>>>
>>>>>> Right, but when you download a file you are not actually
>>>>>> downloading a file,
>>>>>
>>>>>
>>>>> Whaaaaa ??????
>>>>> You download a file, PERIOD.
>>>>
>>>> Okay.
>>>>>
>>>>> you are downloading content from a remote file into a new local
>>>>>> file that may or may not even have the same naming convention. If
>>>>>> decisions were made as to what icon to present in the GUI or what
>>>>>> application to associate the file with are made with respect to the
>>>>>> content rather than the filename there would be less chance for
>>>>>> confusion. A exefile named benign.jpg would still be associated with
>>>>>> the loader chain and have an icon showing it as an executable.
>>>>>>
>>>>>> Custom icons could still be used, but as with the little arrow that
>>>>>> Windows uses for shortcut icons - there could be a little star or
>>>>>> border or something to show it as an executable. That way, if an exe
>>>>>> had an icon like notepad and an extension of .txt it would *still*
>>>>>> show the user that it is an executable and it would still be
>>>>>> loadable because the OS uses the content rather than the name to
>>>>>> make its decisions about loading an executable image.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> FILE ICONS are created and placed by your own system, they are not
>>>>> downloaded with files.
>>>>
>>>> Some are, some aren't.
>>>
>>>
>>>
>>> I am pointing out that if you simply download a file of data, you
>>> don't get a file icon with it.
>>> Unless you download a .zip and it's in there.
>>
>> Yes, and I was pointing out that what actually happens is that your OS
>> has its filesystem create a new "file" as a destination for the content
>> of the remote (source) "file's" content. There is no actual "file"
>> being transferred even though you may be using FTP which by its name
>> should be a Protocol for Tranferring Files. The source file may even
>> have a name that is incompatible with your local OS/filesystem's
>> destination file.
>>>
>>> However you can download ICON FILES as prepared graphics (.ico) , but
>>> then you have to manually assign them to a file type
>>
>> Yes, and some DLLs are icon libraries as opposed to executable code
>> libraries. Still, if you try to download an icon file, what you get is
>> a local file being created on the filesystem for the content of the
>> remote icon file to be stored locally in. You don't get "that file" -
>> in fact you may get one of a different name (8.3 vs. LFN) depending on
>> your system.
>>>
>>> But in the context of this thread you have virtually no chance of
>>> downloading an .Mp3 or .avi and having an icon come in with it.
>>
>> Of course not, but an executable file can have its own custom icon that
>> travels with the content when it is downloaded.
>>
>> [...]
>
>
>
> But who would be stupid enough to think an .exe would contain media content ?
I've seen executable files with RLO characters in their filename so
that the shell GUI displays something like simplexe.txt for what
*really* is an executable named simpl[RLO}txt.exe.
one might even be able to see that here since NNTP supports Unicode
now.
simplexe.txt
simpl*txt.exe
If this executable had a notepad icon in its resource section then it
wouldn't take an idiot to be fooled.
Reply With Quote