The case of the missing file extensions
Transcript of The case of the missing file extensions
![Page 1: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/1.jpg)
The case of the missing file extensions 44 café edition
![Page 2: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/2.jpg)
Who?
Pete Beck
♦ Principal Consultant, NCC Group
♦ Breaking code since 1998
GCHQ/CESG
Microsoft
BlackBerry
4/30/2014 © NCC Group 2
![Page 3: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/3.jpg)
tl;dr
♦ Some Windows file extensions are always hidden regardless of settings
♦ That readme.txt might not be all it seems
♦ Bad ThingsTM might happen
4/30/2014 © NCC Group 3
![Page 4: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/4.jpg)
Why?
♦ Accidental (re)discovery
Chatting about retro games in the office
Specifically text adventures
♦ Phill was a big fan of Infocom
Zork, Hitchhikers Guide, …
♦ I was a big fan of Magnetic Scrolls
The Pawn, Guild of Thieves, Jinxter, …
4/30/2014 © NCC Group 4
![Page 5: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/5.jpg)
Magnetic Scrolls
♦ Adventure games from late 80s
♦ Available on many 8-bit and 16-bit home computers including:
Amstrad CPC
Commodore 64
Atari ST
Amiga
PC
4/30/2014 © NCC Group 5
![Page 6: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/6.jpg)
Emulation
♦ Playable today with Magnetic emulator
♦ Games come as 4 files
Game data
Graphics
Title Picture
Title Music
4/30/2014 © NCC Group 6
![Page 7: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/7.jpg)
Something missing
♦ Here’s how the directory looks in Explorer
♦ The second file is missing an extension
But is something to do with Microsoft Access
Curiouser and curiouser!
♦ A command prompt shows it’s a mag file
4/30/2014 © NCC Group 7
![Page 8: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/8.jpg)
Questions
♦ Why are files with this extension are hidden?
♦ What else is hidden?
♦ How could someone abuse this?
4/30/2014 © NCC Group 8
![Page 9: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/9.jpg)
Disclaimer
♦ All results from my machine
Windows 7 64-bit
Office 2010
♦ Yours might (probably will) vary
4/30/2014 © NCC Group 9
![Page 10: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/10.jpg)
Registry mining
♦ What does the registry tell us about .mag files?
C:\>reg query HKCR\.mag
HKEY_CLASSES_ROOT\.mag
(Default) REG_SZ Access.Shortcut.Diagram.1
HKEY_CLASSES_ROOT\.mag\Access.Shortcut.Diagram.1
4/30/2014 © NCC Group 10
![Page 11: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/11.jpg)
More digging
♦ What about Access.Shortcut.Diagram.1?
C:\>reg query HKCR\Access.Shortcut.Diagram.1
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1
(Default) REG_SZ Microsoft Access Diagram Shortcut
IsShortCut REG_SZ
NeverShowExt REG_SZ
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\DefaultIcon
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\shell
4/30/2014 © NCC Group 11
![Page 12: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/12.jpg)
Prime suspect
♦ The NeverShowExt value looks suspiciously like the one
♦ Delete it, restart explorer and look at the directory
♦ The extensions are all visible now!
4/30/2014 © NCC Group 12
![Page 13: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/13.jpg)
Enumeration
We can now enumerate all hidden extensions
♦ For each file extension under HKCR
get the underlying object class
open its key
check for a NeverShowExt value
4/30/2014 © NCC Group 13
![Page 14: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/14.jpg)
Results
.appref-ms
.desklink
.glk
.library-ms
.lnk
.mad
.maf
.mag
.mam
.mapimail
.maq
.mar
4/30/2014 © NCC Group 14
.mas
.mat
.mau
.mav
.maw
.mydocs
.pif
.scf
.search-ms
.searchConnector-ms
.URL
.website
.zfsendtotarget
![Page 15: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/15.jpg)
So what?
♦ A list is good, but…
♦ Need to know how these files are handled
♦ Back to the registry
4/30/2014 © NCC Group 15
![Page 16: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/16.jpg)
Digging deeper
♦ Look at subkeys too
C:\>reg query HKCR\Access.Shortcut.Diagram.1 /s
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1
(Default) REG_SZ Microsoft Access Diagram Shortcut
IsShortCut REG_SZ
NeverShowExt REG_SZ
…
HKEY_CLASSES_ROOT\Access.Shortcut.Diagram.1\shell\Open\command
(Default) REG_SZ "C:\Program Files\Microsoft
Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM
[OpenDiagram "%1"]
…
4/30/2014 © NCC Group 16
![Page 17: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/17.jpg)
Handlers
We can now get the handlers too
♦ For each extension under HKCR
get the underlying object class
open its key
check for a NeverShowExt value
Read the shell\Open\command subkey
4/30/2014 © NCC Group 17
![Page 18: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/18.jpg)
Enumeration II
.appref-ms rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2
.desklink
.glk C:\PROGRA~1\MIF5BA~1\Office14\GROOVE.EXE /grv: "%1"
.library-ms
.lnk
.mad "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenModule "%1"]
.maf "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%1"]
.mag "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDiagram "%1"]
.mam "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [ShellOpenMacro "%1"]
.mapimail
.maq C:\PROGRA~1\MIF5BA~1\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%1"]
.mar "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%1", 2]
.mas "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenStoredProcedure "%1"]
.mat C:\PROGRA~1\MIF5BA~1\Office14\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%1"]
.mau "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /SHELLSYSTEM [OpenFunction "%1"]
.mav "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenView "%1"]
.maw "C:\Program Files\Microsoft Office\Office14\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDataAccessPage "%1"]
.mydocs
.pif "%1" %*
.scf C:\Windows\explorer.exe
.search-ms
.searchConnector-ms
.URL "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l
.website "C:\Program Files\Internet Explorer\iexplore.exe" -w "%l" %*
.zfsendtotarget
4/30/2014 © NCC Group 18
![Page 19: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/19.jpg)
Abuse
Tricks to get users to run malware
♦ Double extensions
picture.jpg.exe
♦ Double extensions with spaces
picture.jpg .exe
♦ Changing the icon helps with the deception
4/30/2014 © NCC Group 19
![Page 20: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/20.jpg)
More abuse
One more trick
♦ Hidden extensions
readme.txt.lnk
♦ Can also change the icon here
4/30/2014 © NCC Group 20
![Page 21: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/21.jpg)
Classes
The extensions fall into a few distinct groups
♦ Microsoft Access
♦ Shortcuts
♦ Internet shortcuts
♦ SendTo items
♦ Searches
♦ Others
4/30/2014 © NCC Group 21
![Page 22: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/22.jpg)
Microsoft Access files
♦ No obvious reason for hiding them
♦ Lots!
mad maf mag mam maq mar mas mat mau mav maw
♦ No obvious attack vectors
Macros potentially interesting
Caveat: I am not an Access expert
4/30/2014 © NCC Group 22
![Page 23: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/23.jpg)
Shortcuts
♦ Extensions hidden to improve UI appearance
♦ Two extensions are shortcuts to executables
lnk is a standard shortcut
pif is a shortcut to a DOS program
♦ Icon is also controllable
♦ Attacks using lnk
Run any executable on the local machine
Run any signed executable from remote machines directly (SMB/WebDAV)
Unsigned executables will run but pop a warning
Run any unsigned executable from remote machines indirectly
E.g. via cmd.exe or rundll32.exe
4/30/2014 © NCC Group 23
![Page 24: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/24.jpg)
Shortcut demo
4/30/2014 © NCC Group 24
![Page 25: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/25.jpg)
Internet shortcuts
♦ Two extensions send user to a web page
url is an Internet Shortcut
website is a Pinned Internet Shortcut
♦ Icon is also controllable
♦ Attacks
Web bugs
Phishing
Malware
Undesirable content
4/30/2014 © NCC Group 25
![Page 26: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/26.jpg)
Internet shortcut example
♦ The following is an example readme.txt.url
Sends a user to NCC Group’s home page
Sets its icon to be the same as a text file
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
[InternetShortcut]
URL=http://www.nccgroup.com/
IDList=
HotKey=0
IconFile=C:\Windows\System32\shell32.dll
IconIndex=70
4/30/2014 © NCC Group 26
![Page 27: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/27.jpg)
SendTo items
♦ Extensions hidden to improve UI appearance
♦ In %USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo
desklink creates a shortcut
mapimail sends content to a mail recipient
mydocs sends a file to a user's My Documents folder
zfsendtotarget sends a file to a compressed (zip) file
♦ None have any controllable content
♦ No obvious ways they can be used maliciously
4/30/2014 © NCC Group 27
![Page 28: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/28.jpg)
Searches
♦ Extensions hidden to improve UI appearance
♦ In %USERPROFILE%\Searches
searchConnector-ms is a search connector
search-ms is a search folder
♦ No obvious ways they can be used maliciously
4/30/2014 © NCC Group 28
![Page 29: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/29.jpg)
Others
♦ A few don’t fit into any groups
appref-ms used with ClickOnce
library-ms used by Explorer to merge several directories into a single view
glk files are used by Groove
scf files are used to tell Explorer to perform specific actions
♦ The first looks potentially interesting as it can install applications
Though extensive user interaction is required
♦ The others have no obvious attack vectors
4/30/2014 © NCC Group 29
![Page 30: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/30.jpg)
Mitigations
♦ Files with certain extensions blocked by
Email clients
Enterprise mail scanners
Anti-virus software
♦ Sledgehammer approach
Delete all NeverShowExt values in registry
4/30/2014 © NCC Group 30
![Page 31: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/31.jpg)
Conclusions
♦ Some file extensions are always hidden
♦ A few of these increase the chance of malicious code being run
♦ Be very careful what you click on!
4/30/2014 © NCC Group 31
![Page 32: The case of the missing file extensions](https://reader033.fdocuments.us/reader033/viewer/2022052602/55a4e5e01a28ab2b748b4772/html5/thumbnails/32.jpg)
Thank you! Questions?
Contact us [email protected]
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland