OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability

From: Drew Copley (dcopleyeEye.com)
Date: Mon Jul 12 2004 - 13:20:51 CDT


This is an open bug. (One which is rather disturbing, so I am
not sure why Microsoft has chosen to not fix it.)

Date: 21 October 2001
http://www.guninski.com/popspoof.html

"Demonstration:

Image moving over download/open dialog:
http://www.guninski.com/opf2.html "

 

> -----Original Message-----
> From: Paul [mailto:paulgreyhats.cjb.net]
> Sent: Sunday, July 11, 2004 8:52 AM
> To: bugtraqsecurityfocus.com
> Subject: MSIE Download Window Filename + Filetype Spoofing
> Vulnerability
>
>
>
> Note: This vulnerability as well as several more can be found
> at http://www.greyhats.cjb.net
>
>
>
> Download Window Filename + Filetype Spoofing Vulnerability
>
>
>
> [Tested]
>
> IEXPLORE.EXE file version 6.0.2800.1106
>
> MSHTML.DLL file version 6.00.2800.1400
>
> Microsoft Windows XP sp2
>
>
>
> [Discussion]
>
> When a webpage offers a file who's mime type can't be opened
> in a browser, Internet Explorer usually displays a download
> window with the filename and its type. Previous
> vulnerabilities have been used to spoof the filename so the
> victim thinks the file is something it isn't. This is one of
> those vulnerabilities.
>
>
>
> Window.createPopup() creates a popup that goes on top of
> every other window. This includes applications other than
> internet explorer. This doesn't seem like the greatest idea,
> but it could be useful if you want to get urgent information
> out to someone. By placing the popup in a certain location,
> we can cover up the filename and its type in the download
> window and replace it with our own. One more thing, we need
> to set the popup's onoffload to open itself back up, because
> if the parent window is clicked after a popup opens, the
> popup is closed.
>
>
>
> The example tells internet explorer to download badfile.exe,
> which of course is an 'Application'. A popup is then opened
> covering up the filename and type and replaces it with
> 'sexycoeds.jpg' (GGW commercial was on when I was writing
> this ;) which is a 'JPEG Image'. The viewer should press
> 'open' to view the sexy coeds right away, which will download
> and run badfile.exe. If you want, you can name the executable
> sexycoeds.exe and change the icon so if the user presses
> 'save' windows should hide the extension and it will still
> look like a jpg image.
>
>
>
> [Example]
>
> http://freehost07.websamba.com/greyhats/dlwinspoof.htm
>