Paul, I only run windows on one machine, my workstation in the office, so my results aren't indicative of every system- indeed this may be a quirk of our AD, in which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, but both extensions you list were executable.
Admittedly I haven't checked all of the others yet, mileage may vary. Either way there is no accounting for taste; some cases will make this less an attack in and of its self and more will show this as a further social engineering payload, albeit one which requires tricking someone to download several layers of code and still executing it. On 4 Sep 2011, at 23:54, [email protected] wrote: >> Application: wscript.exe >> Extensions: js, jse, vbe, vbs, wsf, wsh >> Library: wshesn.dll > > Many people commented that the above extensions are "executable" > already, so are (should be) treated with caution, or that they > can be trojaned directly without any DLL load shenanigans. > > However... looking at > http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx > http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx > I do not see JS listed as executable, though JSE is listed. > > Looking at > http://msdn.microsoft.com/en-us/library/ms722429.aspx > I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP > machine, none of the above extensions are "designated". > > Maybe DLL hijacking is useful for some of these file types, after all? > > Cheers, Paul > > Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
