Thinking Different III

The following Thinking different mini column takes the title literally.
Recently I wrote about a Google vulnerability, and while my main theme was the lack of ability to publish a security issue to Google, the comments were “but this is not exploitable”.

Well, lets put aside for a minute the obvious fact that I actually must convince the user rename the file to .EXE, and lets think about some advisories we already know about.
Hmmm… Does code execution on Internet Explorer when changing extension of .EXE to .JPG ring a bell?
Or maybe using Gmail as a storage facility (hey someone wrote a “deamon” that convert Gmail to NFS !).
I can also use another program that will convert the extension for me…
I can also create a .BAT file that will “extract” from itself the .EXE and execute it…
And of course the list goes on.

So why thinking Different? Because perhaps I cannot (yet) cause the user to execute the .EXE file just by sending an extensionless file, but I just enumerated 4 ways to exploit the situation if that ever happens.

So, I’m thinking that Gmail should either remove this unnecessary check, or add better checking, such as if the content of a file contain a PE execution header.

Actually, why stop with Microsoft Windows executables, when there are COFF (usually Linux ELF) and other execution headers out there? Just because I choose to use Linux doesn’t mean I care less about the security of my machine…

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    “Actually, why stop with Microsoft Windows executables, when there are COFF (usually Linux ELF) and other execution headers out there? Just because I choose to use Linux doesn’t mean I care less about the security of my machine…”

    No, but it does mean you’re less likely to be an idiot and blindly open executable attachments.

  • http://www.whiteacid.org WhiteAcid

    It’s a decent point but wouldn’t the Gmail antivirus filter notice any virii?

    In my opinion they should remove the filter, making sure that they have a good virus scanner. Or at least give the user an option saying if they accept EXEs in their inbox (the filter works on incoming emails too).

    I feel that it restricts me too much, I do occasionally want to send EXEs and it has been a problem.

    Since Gmail is still in beta it tends to be power users who use it, people who know what they are doing.

    What would be your solution? Read the attachment to see if it is an executable and decide on allowing it that way? (For instance all win32 EXEs start with 0x4d,0x5a)

  • http://bwahahahahaaaaaaa /dev/null

    Interestingly enough, that “someone (who) wrote a “deamon” that convert Gmail to NFS” is Stefen Jones (sp?), owner and admin of SDF (sdf.lonestar.org).