Exploit code for MS05-016 Available

By Roger on April 13, 2005 10:20 AM |

Proof of Concept code is now available for ms05-016, the Windows Shell remote code execution vulnerability.

http://downloads.securityfocus.com/vulnerabilities/exploits/ms05016.c

The code when compiled runs notepad.exe. Bad guys can likely use this to contruct their own versions for a email virus. The vulnerability is related to how the OS handles unregistered file types.

Doc, pdf,pif etc are examples of registered file types. An unregistered file type is anything else. So if I create a file with extension D0C (thats a zero), it may look like an expected word document, but its really the exploit.

Further anyone whose email antivirus is stuck in the stone age scanning specific file types only wont even scan this in inbound email. People who rely on blocking "dangerous" file types to fill in the gap from exploit release to virus definition update will be out of luck unless they choose to whitelist a few specific extensions instead of relying on blacklists. is.

Categories

Microsoft

About this Entry

This page contains a single entry by Roger published on April 13, 2005 10:20 AM.

Find a security need, buy a product was the previous entry in this blog.

Off to a SANS Conf is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search