Author Topic: Double file extension vulnerability  (Read 7526 times)

Offline Betty

  • Newbie
  • *
  • Posts: 9
Double file extension vulnerability
« on: May 24, 2007, 07:29:38 PM »
Hi all,

First of all.. I'm not sure if this should be in CAVS or CFP, sorry if it's the wrong place. I posted here because it has to do with e-mail attachments.

I ran an e-mail security test for:
Eicar Virus: CAVS caught and quarantined immediately on receipt  :D
ActiveX vulnerability: File did not appear so either CAVS or CFP stopped it   :D

Double file extension: I was able to run/open the attached file ??
The test file was shown as: viewthis.jpg.hta (not harmful was test purposes only)
I even saved it to the desktop and scanned with CAVS with no problem found but a-squared wanted to quarantine it.

So, now I'm confused..that's not really new but, any info would be greatly appreciated.  If you need more information let me know.

Thanks and have a great day,
Betty

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Double file extension vulnerability
« Reply #1 on: May 24, 2007, 08:07:11 PM »
Hi Betty

Fortunately the double file extension ploy only works on humans, not CAVS. With the filename you cited, viewthis.jpg.hta, you're meant to see the JPG and not see the HTA bit. They often pad spaces after the JPG to try & push it off your screen.The thing is, there is no such thing as a Double File Extension, CAVS just sees an HTA file (it does not "see" the JPG bit) & scans it or not based of the extensions ability to be a vector or not. In the case of an HTA file, CAVS will scan it.
« Last Edit: May 24, 2007, 08:23:33 PM by kail »
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline Betty

  • Newbie
  • *
  • Posts: 9
Re: Double file extension vulnerability
« Reply #2 on: May 24, 2007, 09:15:58 PM »
Hi Kail,

Thanks for the quick reply with a clearly understandable explanation, I appreciate that. 

This type of thing isn't usually an issue with me as I save them to desktop and try to get into it somehow and scan before I open but was curious about the 2 .ext thing.  The site I used stated that most AV/AS only look at the first ext, obviously "most" are not as diligent as CAVS, which I believe or would not be using it.........

Thanks again,
Betty


Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Double file extension vulnerability
« Reply #3 on: May 24, 2007, 09:33:20 PM »
Whilst CAVS is good, I can't claim this for it. That web site is either making it up or pulling your leg (edit: sorry, Joking). No application looks at the first extension, because only the last one counts. That double extension trick is for humans only, trying to get them to execute (click on) an email attachment thinking its an image, whilst it is actually an executable of some sort.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline Betty

  • Newbie
  • *
  • Posts: 9
Re: Double file extension vulnerability
« Reply #4 on: May 24, 2007, 11:05:17 PM »
I've only received 1 real file of this type, it showed as a .zip but when I looked inside (didn't run it) I found it really was an .exe, sneaky brats.  I knew it was bogus but I just had to find out as much as I could - kinda like a dog with a bone..... after snooping I quarantined it.

BTW - 1 is slightly longer than the other now

Have a good one,
Betty

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek