The case of the missing file extensions
Transcript of The case of the missing file extensions
The case of the missing file extensions 44 café edition
Who?
Pete Beck
♦ Principal Consultant, NCC Group
♦ Breaking code since 1998
GCHQ/CESG
Microsoft
BlackBerry
4/30/2014 © NCC Group 2
tl;dr
♦ Some Windows file extensions are always hidden regardless of settings
♦ That readme.txt might not be all it seems
♦ Bad ThingsTM might happen
4/30/2014 © NCC Group 3
Why?
♦ Accidental (re)discovery
Chatting about retro games in the office
Specifically text adventures
♦ Phill was a big fan of Infocom
Zork, Hitchhikers Guide, …
♦ I was a big fan of Magnetic Scrolls
The Pawn, Guild of Thieves, Jinxter, …
4/30/2014 © NCC Group 4
Magnetic Scrolls
♦ Adventure games from late 80s
♦ Available on many 8-bit and 16-bit home computers including:
Amstrad CPC
Commodore 64
Atari ST
Amiga
PC
4/30/2014 © NCC Group 5
Emulation
♦ Playable today with Magnetic emulator
♦ Games come as 4 files
Game data
Graphics
Title Picture
Title Music
4/30/2014 © NCC Group 6
Something missing
♦ Here’s how the directory looks in Explorer
♦ The second file is missing an extension
But is something to do with Microsoft Access
Curiouser and curiouser!
♦ A command prompt shows it’s a mag file
4/30/2014 © NCC Group 7
Questions
♦ Why are files with this extension are hidden?
♦ What else is hidden?
♦ How could someone abuse this?
4/30/2014 © NCC Group 8
Disclaimer
♦ All results from my machine
Windows 7 64-bit
Office 2010
♦ Yours might (probably will) vary
4/30/2014 © NCC Group 9
Registry mining
♦ What does the registry tell us about .mag files?
C:\>reg query HKCR\.mag
HKEY_CLASSES_ROOT\.mag
(Default) REG_SZ Access.Shortcut.Diagram.1
HKEY_CLASSES_ROOT\.mag\Access.Shortcut.Diagram.1
4/30/2014 © NCC Group 10
More digging
♦ What about Access.Shortcut.Diagram.1?
C:\>reg query HKCR\Access.Shortcut.Diagram.1
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1
(Default) REG_SZ Microsoft Access Diagram Shortcut
IsShortCut REG_SZ
NeverShowExt REG_SZ
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\DefaultIcon
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\shell
4/30/2014 © NCC Group 11
Prime suspect
♦ The NeverShowExt value looks suspiciously like the one
♦ Delete it, restart explorer and look at the directory
♦ The extensions are all visible now!
4/30/2014 © NCC Group 12
Enumeration
We can now enumerate all hidden extensions
♦ For each file extension under HKCR
get the underlying object class
open its key
check for a NeverShowExt value
4/30/2014 © NCC Group 13
Results
.appref-ms
.desklink
.glk
.library-ms
.lnk
.mad
.maf
.mag
.mam
.mapimail
.maq
.mar
4/30/2014 © NCC Group 14
.mas
.mat
.mau
.mav
.maw
.mydocs
.pif
.scf
.search-ms
.searchConnector-ms
.URL
.website
.zfsendtotarget
So what?
♦ A list is good, but…
♦ Need to know how these files are handled
♦ Back to the registry
4/30/2014 © NCC Group 15
Digging deeper
♦ Look at subkeys too
C:\>reg query HKCR\Access.Shortcut.Diagram.1 /s
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1
(Default) REG_SZ Microsoft Access Diagram Shortcut
IsShortCut REG_SZ
NeverShowExt REG_SZ
…
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\shell\Open\command
(Default) REG_SZ "C:\Program Files\Microsoft
Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM
[OpenDiagram "%1"]
…
4/30/2014 © NCC Group 16
Handlers
We can now get the handlers too
♦ For each extension under HKCR
get the underlying object class
open its key
check for a NeverShowExt value
Read the shell\Open\command subkey
4/30/2014 © NCC Group 17
Enumeration II
.appref-ms rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2
.desklink
.glk C:\PROGRA~1\MIF5BA~1\Office14\GROOVE.EXE /grv: "%1"
.library-ms
.lnk
.mad "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenModule "%1"]
.maf "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%1"]
.mag "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDiagram "%1"]
.mam "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [ShellOpenMacro "%1"]
.mapimail
.maq C:\PROGRA~1\MIF5BA~1\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%1"]
.mar "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%1", 2]
.mas "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenStoredProcedure "%1"]
.mat C:\PROGRA~1\MIF5BA~1\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%1"]
.mau "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /SHELLSYSTEM [OpenFunction "%1"]
.mav "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenView "%1"]
.maw "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDataAccessPage "%1"]
.mydocs
.pif "%1" %*
.scf C:\Windows\explorer.exe
.search-ms
.searchConnector-ms
.URL "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l
.website "C:\Program Files\Internet Explorer\iexplore.exe" -w "%l" %*
.zfsendtotarget
4/30/2014 © NCC Group 18
Abuse
Tricks to get users to run malware
♦ Double extensions
picture.jpg.exe
♦ Double extensions with spaces
picture.jpg .exe
♦ Changing the icon helps with the deception
4/30/2014 © NCC Group 19
More abuse
One more trick
♦ Hidden extensions
readme.txt.lnk
♦ Can also change the icon here
4/30/2014 © NCC Group 20
Classes
The extensions fall into a few distinct groups
♦ Microsoft Access
♦ Shortcuts
♦ Internet shortcuts
♦ SendTo items
♦ Searches
♦ Others
4/30/2014 © NCC Group 21
Microsoft Access files
♦ No obvious reason for hiding them
♦ Lots!
mad maf mag mam maq mar mas mat mau mav maw
♦ No obvious attack vectors
Macros potentially interesting
Caveat: I am not an Access expert
4/30/2014 © NCC Group 22
Shortcuts
♦ Extensions hidden to improve UI appearance
♦ Two extensions are shortcuts to executables
lnk is a standard shortcut
pif is a shortcut to a DOS program
♦ Icon is also controllable
♦ Attacks using lnk
Run any executable on the local machine
Run any signed executable from remote machines directly (SMB/WebDAV)
Unsigned executables will run but pop a warning
Run any unsigned executable from remote machines indirectly
E.g. via cmd.exe or rundll32.exe
4/30/2014 © NCC Group 23
Shortcut demo
4/30/2014 © NCC Group 24
Internet shortcuts
♦ Two extensions send user to a web page
url is an Internet Shortcut
website is a Pinned Internet Shortcut
♦ Icon is also controllable
♦ Attacks
Web bugs
Phishing
Malware
Undesirable content
4/30/2014 © NCC Group 25
Internet shortcut example
♦ The following is an example readme.txt.url
Sends a user to NCC Group’s home page
Sets its icon to be the same as a text file
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
[InternetShortcut]
URL=http://www.nccgroup.com/
IDList=
HotKey=0
IconFile=C:\Windows\System32\shell32.dll
IconIndex=70
4/30/2014 © NCC Group 26
SendTo items
♦ Extensions hidden to improve UI appearance
♦ In %USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo
desklink creates a shortcut
mapimail sends content to a mail recipient
mydocs sends a file to a user's My Documents folder
zfsendtotarget sends a file to a compressed (zip) file
♦ None have any controllable content
♦ No obvious ways they can be used maliciously
4/30/2014 © NCC Group 27
Searches
♦ Extensions hidden to improve UI appearance
♦ In %USERPROFILE%\Searches
searchConnector-ms is a search connector
search-ms is a search folder
♦ No obvious ways they can be used maliciously
4/30/2014 © NCC Group 28
Others
♦ A few don’t fit into any groups
appref-ms used with ClickOnce
library-ms used by Explorer to merge several directories into a single view
glk files are used by Groove
scf files are used to tell Explorer to perform specific actions
♦ The first looks potentially interesting as it can install applications
Though extensive user interaction is required
♦ The others have no obvious attack vectors
4/30/2014 © NCC Group 29
Mitigations
♦ Files with certain extensions blocked by
Email clients
Enterprise mail scanners
Anti-virus software
♦ Sledgehammer approach
Delete all NeverShowExt values in registry
4/30/2014 © NCC Group 30
Conclusions
♦ Some file extensions are always hidden
♦ A few of these increase the chance of malicious code being run
♦ Be very careful what you click on!
4/30/2014 © NCC Group 31
Thank you! Questions?
Contact us [email protected]
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland