Totally_not_malicious_file_with_more_then_128.pdf. The following file might move the real extensions out of the user’s sight. There are some characters which bypass this layer of protection and therefore move some file endings out of sight for the user.įor example a U+00A0 : No-Break Space is not truncated. The file saving feature, Drag & Drop functionality and the “save” dialog for attachments normalize some special characters when dropping a file.įor example, multiple “” were combined to one.
In received e-mails the unicode characters are shown sanitized, but when being saved to disk they expand. Popping a calculator by double-click Demo timeĪdditionally, Thunderbird is showing some interesting behaviour when it comes to unicode characters in attachments. Totally_not_malicious_file_with_more_then_128_characters_definetly_no_problem_here_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.exeĪs the file is an executable, the Windows calculator in this case, a double-click then executes the binary. When the file is dropped to the desktop or a folder, the extension is cut off at 128 characters, leaving this: Totally_not_malicious_file_with_more_then_128_characters_definetly_no_problem_here_ This means an attacker can craft a special file which seems to be a PDF but is an executable when being dropped from the e-mail.
Thunderbird is cutting the file name to 128 characters when using Drag & Drop under Windows.Īs this is a strict crop, the extension of the file can change when being dropped to disk. Unicode characters expand when being saved to disk, adding a layer of obfuscationīelow, you will find the details.Drag & Drop cuts filename to 128 characters.Polyglot file PDF/HTA bypasses gmail file filter.Polyglot file to render in Thunderbird and to execute script.Tl dr Proof-of-Concept What’s ongoing here? Windows Defender Signatures up-to-date ()įor those who do not have the time to read: All the stuff in a short clip.
0 kommentar(er)
