What are Windows file extensions of interest ?
Is there a single superset of all possible file extensions that are of interest from a security perspective?
I tried to answer these questions before.
Today I wanted to re-visit it and approach it from a different angle:
– what large sampleset can teach us about existing file extensions?
To answer the question we could use regexes that focus on finding strings (references to wildcards of any sort) that look like an asterisk followed by a set of alphanumeric characters, digits, etc) but… this is a naive approach.
We can do better.
For instance, we can leverage the way applications use standard Windows dialog boxes. The filters that are provided to OPENFILENAME structure in a predictable form are perfect (potentially binary!) string targets we can find inside many samples.
There is also a popular convention of saving many such file extension filter strings using pipes which often look like this:
JPEG files (.jpg)|.jpg GIF files (.gif)|.gif PNG files (.png)|.png PCX files (.pcx)|.pcx VML files (.htm)|.htm PDF files (.pdf)|.pdf
and more complex examples:
All_files (.)|.ALL Archives ALL Archives All_files (.)|.ALL Archives |.ace;.arc;.arj;.bh;.cab;.enc;.exe;.gz;.ha;.jar;.lha;.lzh;.mbf;.mim;.pak;.pk3;.pk_;.rar;.tar;.tgz;.uue;.war;.xxe;.z;.zip;.zlib;.zooExecutables (.exe)] [450, All_files (.)|.ALL Archives |.ace;.arc;.arj;.bh;.cab;.enc;.exe;.gz;.ha;.jar;.lha;.lzh;.mbf;.mim;.pak;.pk3;.pk_;.rar;.tar;.tgz;.uue;.war;.xxe;.z;.zip;.zlib;.zooExecutables (.exe)]
They are not only very precise, but they also give us rough context about what these file extensions actually mean to be! From a technical perspective – we can find many of these strings embedded directly inside the samples as they are often a part of PE sections loaded to memory or are stored inside the resources..
The third option is to narrow down our research to installers only, and after decompiling their scripts, look for any registry changes that imply adding file extensions in a similar way I did research protocols. In this case we will be able to grab some metadata about what the file extensions are meant to be as well.
The search for pipe-separated strings yields so many results that this is pretty much all we need. Looking at example results we can see that:
- nothing is reliable; some people call TXT files ‘Colon delimited text files’ 😉
- CSV files are not what you thought they were:
*.csv Comma delimited text files
*.csv Comma-separated files (*.csv)
*.csv Text Files comma delimited (*.csv)
*.csv CSV files (*.csv)
*.txt;.csv Text Files (.txt,*csv)
*.csv Comma Separated File (*.csv)
*.csv CSV Files (*.csv)
*.csv (*.csv)
*.CSV Memories CSV Files (*.CSV)
*.csv;*.xyz Comma Delim.(.csv,.xyz)
*.csv;.txt;.xyz Comma Delim.(.csv,.txt,.xyz)
.csv;.txt;*.xyz 3Ascii / XYZ
*.csv MCSV Files (*.csv)
*.csv Export files (*.csv)
*.csv Excel CSV (*.csv)
*.csv Comma Delimited files (*.csv)
*.csv Comma Delimited CSV Files (*.csv)
*.csv CSV files
*.csv CSV Files
*.csv CSV - Comma Delimited (*.csv)
*.csv 5Comma Delimited (*.csv)
*.CSV CSV Files
.CSV CSV Files (.CSV)
- same goes for .exe files (note localization issues):
.exe Projector (.exe) .exe SFX Files (.EXE) .exe Projection (.exe) .exe Self Extracting Archives (.exe) .exe Proyector (.exe) .exe Projektor (.exe) .exe Proiettore (.exe) .exe Executables (.exe) *.exe Executable Files *.EXE .exe;Self-Extracting Zip Files (.exe) *.EXE *.*.exe;Self-Extracting Zip Files (.exe) .exe Executable Files (.exe) .exe;.dll;.ico Icon files (.exe, *.dll, *.ico) .exe Exe Files (.exe) *.exe Exe Files *.exe Executables Files .exe EXE Files (.exe) *.EXE Program Files *.EXE Executable Files *.exe Executable files *.exe EXE Files *.exe Exe files *.ptx;.exe E-Transcript Files (.ptx; *.exe) *.exe Executables files .exe Executable files (.exe) .EXE;.DLL PE Files *.EXE EXE files *.exe .Image Files (*.exe) *.exe;.dll EXE or DLL Files (.exe; *.dll) *.exe executive files (*.exe) *.exe;*.exe Exe Files *.exe exe files .exe ExE files (.exe) .EXE ,Executable files (.EXE) .exe -Executables (.exe) *.EXE *.exe;Self-Extracting Zip Files (*.exe) *.exe programs (*.exe) *.exe Program files (*.exe) *.exe MapleStory Execute Files .exe Exe-files (.exe) .exe 2Executable Files (.exe) .exe;.scr Execute Files (.exe;.scr) .exe;.ico Executable and Icon files .exe Hiddukel files (.exe) .exe Application Files (.exe) .exe;.com;.bat Executable Files (.exe;.com;.bat) .exe;.com Executable files (.exe;.com) .exe exe files (.exe) .exe Win32 PE Files (.exe) *.exe Program Files *.exe PHP Interpreter (*.exe) *.exe GOP File (*.exe) *.exe ExecutableFiles (*.exe) *.exe Executable (*.exe) *.exe Exe files (*.exe) *.exe EXE files .exe Applications (.exe) .exe -Application (.exe) .exe +Exe Files (.exe) .exe (.exe) .exe (.exe) *.EXE Executable files *.tarCAB (*.cab) *.bh;.exeTAR (.tar) .ico;.dll;*.exe Icon Files *.exe;.dll;.ico; All supported Files .exe;.com;.scr Programs (.exe;.com;.scr) .exe;.com;.bat Programs (.exe;.com;.bat) .exe PE Files .exe veis (.exe) .exe executable files (.exe) .exe WExecutable files (.exe) .exe Victim programm (.exe) .exe Trojan server files (.exe) .exe Programs (.exe) *.exe PE FILES *.exe Move Item DownrExecutable (*.exe) *.exe Executeable Files *.exe Application files *.exe ,Executable (*.exe) *.com;.exe;.dll Programs (.com,.exe,*.dll) *.EXE EXE Files (.) . Program Files (*.exe) *.exe;.scr;.bat;.pif;.com NExecutable Files .exe;.lnk Executable Files (*.exe, *.lnk) .exe;.exe_ executable files (*.exe) *.exe;.dll;.ocx Executable Files (.exe;.dll;*.ocx) *.exe;.dll Applications (.exe *.dll) *.exe;.cab DFront-End Patch Files (.exe,*.cab) *.exe; .dll Executable files (.exe;*.dll) *.exe; Exe-Files (*.exe) *.exe, .dll (.exe; *.dll) *.exe* Executable files .exe Executable files (.exe) .exe gApplications (.exe) .exe Trojan files (.exe) .exe Text Files (.exe) .exe Servers (.exe) .exe SFX-ZIP files (.exe) .exe RouterUtility (.exe) *.exe Program files *.exe Program (*.exe) *.exe PE Files (*.exe) *.exe PE Files *.exe Logon Screen Files *.exe Execuvel (*.exe) *.exe Execution Files (*.exe) *.exe Executeable Files (*.exe) *.exe Execute Files .exe Executavel (.exe) .exe Executables Files (.exe) .exe Executable Files(.exe) .exe Exec Files (.exe) *.exe ExeFiles *.exe ExeCutable Files .exe EXE files (.EXE) *.exe EXE FILES *.exe Diagnostic Utility (*.exe) *.exe Choose quarantine folder.0Applications (*.exe) *.exe Application files (*.exe) *.exe 2Executeable files (*.exe) *.exe 2Executeable Files (*.exe) *.exe .PE EXE files (*.exe) *.exe *.exe *.exe %s (*.exe) *.exe Programmi (*.exe) *.exe .Lmgrd files (*.EXE) *.bmp;.ico;.exe Picture files .atm;.exe Executable Files (.atm;.exe) *.Exe Portable Executable Files *.Exe Executable Files .Exe Exe Files (.Exe) .EXE;.DLL;.ICO Command BoxHIcon Files (.exe, *.dll, *.ico) .EXE;.DLL Executable File Images (.EXE;.DLL) .EXE;.COM Executable Files .EXE Program files (.exe) .EXE Program Files (.EXE) *.EXE Executable PE files *.EXE Exe Files *.EXE EXE Files *.EXE Application (*.EXE) *.EXE ;Self-Extracting Zip Files (*.exe)
My script is still running so I will update the file linked above once the processing is completed.
The bottom line is that there are so many software applications out there registering so many file extensions that vulnerabilities inside these software packages are here to say, for years. There will also never be a perfect superset ‘file extension’ list that you can use to block your environment from. Quite the opposite, this post is very 2010 in nature as many ‘platforms’ created over last few years created completely new environments where email attachment is no longer the only option of getting in. Attachments added to support tickets, resumes/CVs uploaded directly to ‘job portals’ and bypassing traitional email filters, as well as any sort of malicious schema or script adjustments uploads that are ‘features’ of ‘platforms’ in disguise are the new frontier and EDR won’t save your from it – we are now oscillating back to network security, but on a different layer of abstraction…
如有侵权请联系:admin#unsafe.sh