Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2364
HistoryJan 15, 2002 - 12:00 a.m.

MSIE may download and run programs automatically - details

2002-01-1500:00:00
vulners.com
17
JSON

This posting briefly describes some technical details of the
vulnerability discussed in the Bugtraq messages with the subjects "MSIE
may download and run progams automatically" (Dec 14 2001) and "File
extensions spoofable in MSIE download dialog" (Nov 26 2001).

The flaw allows a malicious web site to make Internet Explorer download
and run programs when a user is visiting the web site or reading an HTML
mail message. By exploiting it, any download and Security Warning dialogs
can be circumvented. The program starts without further user interaction.

The trick is simply to use a null byte in the filename. A malicious web
server can set a filename like "README.TXT%00PROG.EXE" via the
Content-disposition HTTP header. If this kind of filename is set for an
attachment, IE will display just "README.TXT" in the download dialog
(unless patched). Apparently "%00" gets decoded and some of the string
handling functions believe the filename strings ends there. When opening
the file (if the user chooses to "Open" it) though, the whole filename is
used and the program gets run.

If the keyword "inline" is used with the Content-disposition header
instead of "attachment" and the MIME type is chosen right, then the
browser downloads and runs the program without any download dialogs or
warnings. The MIME type of the file can be set via the Content-type HTTP
header. The MIME types causing the file to be automatically run seem to
vary in different IE versions. With IE6 e.g. "text/css" can be used to
produce the effect. With IE5 e.g. "audio/midi" can be used instead.

The "file name spoofing" and "automatic running of programs" issues are
in effect the same null byte vulnerability. The MIME type determines
whether the program gets started automatically or the download dialog is
used.

If you want to check if your browser is vulnerable, you can do it on this
web page:

http://www.solutions.fi/iebug2

After clicking the link there, a vulnerable IE will download a small
program and run it. The program will run in a DOS window and print a
message. If this happens, you should patch your browser. The patch
has been available since 13 December 2001 at Microsoft's site:

http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

A non-vulnerable IE will show a download dialog with a filename ending
with ".EXE".


Jouko Pynnonen Online Solutions Ltd Secure your Linux -
[email protected] http://www.solutions.fi http://www.secmod.com

JSON