Directly running a .zip, kinda

[iago]

This is a tricky way to hide an executable file:

Was doing some testing [xfocus-AD-051115]

Ie Multiple antivirus failed to scan
malicous filename bypass vulnerability

The system is windows 2000 sp4 srp5 with
all other patches upto date.

At the command prompt cmd.exe execute
the following with the results.

I copy and paste from cmd.exe
-------------------------------------------------------------------

E:\TEMP>cd test

E:\TEMP\test>copy %windir%\system32\calc.exe
        1 file(s) copied.

E:\TEMP\test>ren calc.exe calc.exe.zip

E:\TEMP\test>dir /b
calc.exe.zip

E:\TEMP\test>calc.exe.zip

E:\TEMP\test>
-------------------------------------------------------------------
This bring up the calc.exe on the screen.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

It actually doesn't matter what the extension is.  .exe.txt.zip.exe.pdf will still run.

[Sidoh]

Isn't this kind of like the "exploit" we found on Apache with it parsing stuff.php.rar as a PHP file?

[iago]

Yes, in the thread on full-disclosure this issue was referenced.

[Sidoh]

Yes, in the thread on full-disclosure this issue was referenced.

Hehe.

[ink]

Isn't that somewhat of a non-issue if you have settings set to show file extensions?

Another neat thing is using SFX scripting in winrar to make self-extracting archieves

[Sidoh]

Isn't that somewhat of a non-issue if you have settings set to show file extensions?

Another neat thing is using SFX scripting in winrar to make self-extracting archieves

You're good at digging up old topics!

Haha, yeah.  This doesn't really matter as you're pretty much telling Windows to execute it as an application when you type a filename in a command prompt.

[iago]

Isn't that somewhat of a non-issue if you have settings set to show file extensions?

Yes, but Windows' traditional "beauty before safety/functionality" view ensured that that's off by default.  Big mistake, in my opinion. 

[ink]

Don't worry, the Windows Vista 'revolution' will fix all that! Ahha 

Another way to trick people is using either Winzip or Winrar, you can rename a file to something like:
"MaliciousFile.doc                                                             .exe"

That way when you add it to the archieve it looks like:

MaliciousFile.doc                           ..
and using Reshack you can easily change the .exe icon to a .doc icon

[Sidoh]

Don't worry, the Windows Vista 'revolution' will fix all that! Ahha 

ROFL.

[Warrior]

Don't worry, the Windows Vista 'revolution' will fix all that! Ahha 

You're damn right, but you'd be too busy misinterpreting text to figure out how to install it
at the least.

[ink]

lol yes I'm sure installing a Windows product will be very difficult, I'm not sure if I can handle a revolutionary install wizard!

[Warrior]

You might think it's disabled by default.

[ink]

Hawhaw! If I were to base my judgement off previous Microsoft products, I'd say yes, file extentions will be disabled by default.

[Warrior]

Most likely, I turn them on personally. Mostly because to make "PHP" files I make textfiles then rename the extension. Otherwise I'd leave them off.

[ink]

I turn them on because looks can be decieving.