<<< Date Index >>>     <<< Thread Index >>>

RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability



This is an open bug. (One which is rather disturbing, so I am
not sure why Microsoft has chosen to not fix it.)

Date: 21 October 2001 
http://www.guninski.com/popspoof.html

"Demonstration: 

Image moving over download/open dialog: 
http://www.guninski.com/opf2.html "


 

> -----Original Message-----
> From: Paul [mailto:paul@xxxxxxxxxxxxxxxx] 
> Sent: Sunday, July 11, 2004 8:52 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: MSIE Download Window Filename + Filetype Spoofing 
> Vulnerability
> 
> 
> 
> Note: This vulnerability as well as several more can be found 
> at http://www.greyhats.cjb.net
> 
> 
> 
> Download Window Filename + Filetype Spoofing Vulnerability 
> 
> 
> 
> [Tested]
> 
> IEXPLORE.EXE file version 6.0.2800.1106
> 
> MSHTML.DLL file version 6.00.2800.1400
> 
> Microsoft Windows XP sp2 
> 
> 
> 
> [Discussion]
> 
> When a webpage offers a file who's mime type can't be opened 
> in a browser, Internet Explorer usually displays a download 
> window with the filename and its type. Previous 
> vulnerabilities have been used to spoof the filename so the 
> victim thinks the file is something it isn't. This is one of 
> those vulnerabilities. 
> 
> 
> 
> Window.createPopup() creates a popup that goes on top of 
> every other window. This includes applications other than 
> internet explorer. This doesn't seem like the greatest idea, 
> but it could be useful if you want to get urgent information 
> out to someone. By placing the popup in a certain location, 
> we can cover up the filename and its type in the download 
> window and replace it with our own. One more thing, we need 
> to set the popup's onoffload to open itself back up, because 
> if the parent window is clicked after a popup opens, the 
> popup is closed. 
> 
> 
> 
> The example tells internet explorer to download badfile.exe, 
> which of course is an 'Application'. A popup is then opened 
> covering up the filename and type and replaces it with 
> 'sexycoeds.jpg' (GGW commercial was on when I was writing 
> this ;) which is a 'JPEG Image'. The viewer should press 
> 'open' to view the sexy coeds right away, which will download 
> and run badfile.exe. If you want, you can name the executable 
> sexycoeds.exe and change the icon so if the user presses 
> 'save' windows should hide the extension and it will still 
> look like a jpg image. 
> 
> 
> 
> [Example]
> 
> http://freehost07.websamba.com/greyhats/dlwinspoof.htm
>