MSIE Download Window Filename + Filetype Spoofing Vulnerability
Note: This vulnerability as well as several more can be found at
http://www.greyhats.cjb.net
Download Window Filename + Filetype Spoofing Vulnerability
[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2
[Discussion]
When a webpage offers a file who's mime type can't be opened in a browser,
Internet Explorer usually displays a download window with the filename and its
type. Previous vulnerabilities have been used to spoof the filename so the
victim thinks the file is something it isn't. This is one of those
vulnerabilities.
Window.createPopup() creates a popup that goes on top of every other window.
This includes applications other than internet explorer. This doesn't seem like
the greatest idea, but it could be useful if you want to get urgent information
out to someone. By placing the popup in a certain location, we can cover up the
filename and its type in the download window and replace it with our own. One
more thing, we need to set the popup's onoffload to open itself back up,
because if the parent window is clicked after a popup opens, the popup is
closed.
The example tells internet explorer to download badfile.exe, which of course is
an 'Application'. A popup is then opened covering up the filename and type and
replaces it with 'sexycoeds.jpg' (GGW commercial was on when I was writing this
;) which is a 'JPEG Image'. The viewer should press 'open' to view the sexy
coeds right away, which will download and run badfile.exe. If you want, you can
name the executable sexycoeds.exe and change the icon so if the user presses
'save' windows should hide the extension and it will still look like a jpg
image.
[Example]
http://freehost07.websamba.com/greyhats/dlwinspoof.htm