knight4vnyahoo.com
Date: Thu Aug 03 2006 - 05:08:02 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Automatic MIME type detection in Internet Explorer 6.x allowed
downloading executable file automatically

+Background:
  What's Internet Explorer automatic MIME type detection?
 - This feature was included in IE to detect exactly MIME type from
file on server sending to browser
 by using FindMimeFromData method.

+Description:
- I've found out that using Automatic MIME type detection, we can
force IE to download any file
(including excutable file) without user's knowledge by causing IE treat
executable file as a image (jpg,gif..).
Thus, IE automatically download the file regardless of the file type,
and save it in "Temporary Internet Files" folder when user visit
attacker's website.

+Exploitation:
   - Force user to download any executable files:
          _ Create a file named "app.exe" with a head body contained
any jpg file content
        to force IE MIME type detection recognize it as a image file.
          _ When user browse the website which contained the file
we've just created.
        IE simply treat it as a image so it automatically save that file in
Temporary folder.
         * This exploit can be found here:
        Open this link: http://sendmailplus.com/knight4vn/app1.exe
        Open this
link: http://sendmailplus.com/knight4vn/app2.exe
        After that, check the
appearance of "app1.exe" "app2.exe" in your "Temporary internet
folder".
    - IE treat malicious javascript as a image:
        * This exploit can be found here:
        http://www.sendmailplus.com/knight4vn/js.gif
        
http://www.sendmailplus.com/knight4vn/js.jpg
        
http://www.sendmailplus.com/knight4vn/js.png

Discovered by: Knight Commander (knight4vnyahoo.com,
knight4vnvietcert.com)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]