|
|
|
@ -60,9 +60,10 @@ let's see the most important: |
|
|
|
and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf), |
|
|
|
and according to [MS documentation](http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf), |
|
|
|
this value can be 0 |
|
|
|
this value can be 0 |
|
|
|
|
|
|
|
|
|
|
|
**NOTE1**: Defender now detects the CAB file using the `_IMAGE_DOS_HEADER.e_magic` value as a signature, potentially avoiding |
|
|
|
**NOTE1**: Defender now detects if the CAB file contains a PE by using the `_IMAGE_DOS_HEADER.e_magic` value as a |
|
|
|
PE files to be embedded in the CAB. Can this signature be bypassed? As observed before, this is a patched vulnerability, |
|
|
|
signature, potentially avoiding PE files to be embedded in the CAB. Can this signature be bypassed? |
|
|
|
so I'm not planning to release anything more complex than this. Up to the curious reader to develop this further. |
|
|
|
I'm not sure but, as observed before, this is a patched vulnerability, so I'm not planning to invest much more time |
|
|
|
|
|
|
|
on this. Up to the curious reader to develop this further. |
|
|
|
|
|
|
|
|
|
|
|
**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition) |
|
|
|
**NOTE2**: Microsoft Patch blocks arbitrary URI schemes, apparently using a blacklist approach (this is just a supposition) |
|
|
|
|
|
|
|
|
|
|
|
|
d3adc0de
3 years ago