<<< Date Index >>>     <<< Thread Index >>>

RE: GOOROO CROSSING: File Spoofing Internet Explorer 6



        For those who don't have their http-equiv speak secret-decoder-ring
with them, the GUID in this file extension causes the file to be treated as
an HTML Application instead of the mpeg file it 'appears' to be.

        However, if you try out the 'demo', you'll see that you get prompted
with the standard IE Open/Save dialog box that warns the user that opening
files can be dangerous. That dialog doesn't list any file type for the file,
MPEG or otherwise. The only thing that's misleading is that the file appears
to have a .mpeg extension. If you save the file to disk, as opposed to
opening it directly, then it's treated as a .mpeg, as you would expect.

        Personally I don't think this is much of an issue. This trick makes
a file _sort_of_ appear to be of a different type than it actually is.
Opening content from the web directly is dangerous, we all knew that
already. For this trick to be used as an attack vector, a user must
intervene and do something which is known to be dangerous, and labelled as
such. IE should proabably display the correct file-type 'HTML Application'
instead of leaving this part of the dialog blank.

        The real problem is that IE makes it far too easy for users to run
executable content that's downloaded from the web. That's just a bad idea. 

Cheers,
~x


> -----Original Message-----
> From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx] 
> Sent: January 27, 2004 12:27 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Cc: NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx
> Subject: GOOROO CROSSING: File Spoofing Internet Explorer 6
> 
> 
> 
> 
> Tuesday, January 27, 2004 
> 
> Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all 
> of 'its' patches to date on WIN XP [probably others]:
> 
> Content-Disposition: attachment; 
> filename=malware.{3050f4d8-98B5- 
> 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg"
> 
> Absolute bare minimum working demo [perhaps even feeble] as we 
> are absolutely confident the self-appointed resident gooroo will 
> be along shortly handing out packets of two cents to everyone 
> thus saving us the effort to illustrate in even greater detail 
> to those lacking imagination:
> 
> 
http://www.malware.com/gooroo.html



End Call

-- 
http://www.malware.com




---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.558 / Virus Database: 350 - Release Date: 02/01/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.558 / Virus Database: 350 - Release Date: 02/01/2004