Thinking Different III
The following Thinking different mini column takes the title literally.
Recently I wrote about a Google vulnerability, and while my main theme was the lack of ability to publish a security issue to Google, the comments were “but this is not exploitable”.
Well, lets put aside for a minute the obvious fact that I actually must convince the user rename the file to .EXE, and lets think about some advisories we already know about.
Hmmm… Does code execution on Internet Explorer when changing extension of .EXE to .JPG ring a bell?
Or maybe using Gmail as a storage facility (hey someone wrote a “deamon” that convert Gmail to NFS !).
I can also use another program that will convert the extension for me…
I can also create a .BAT file that will “extract” from itself the .EXE and execute it…
And of course the list goes on.
So why thinking Different? Because perhaps I cannot (yet) cause the user to execute the .EXE file just by sending an extensionless file, but I just enumerated 4 ways to exploit the situation if that ever happens.
So, I’m thinking that Gmail should either remove this unnecessary check, or add better checking, such as if the content of a file contain a PE execution header.
Actually, why stop with Microsoft Windows executables, when there are COFF (usually Linux ELF) and other execution headers out there? Just because I choose to use Linux doesn’t mean I care less about the security of my machine…