<<< Date Index >>>     <<< Thread Index >>>

MSIE Download Window Filename + Filetype Spoofing Vulnerability




Note: This vulnerability as well as several more can be found at 
http://www.greyhats.cjb.net

Download Window Filename + Filetype Spoofing Vulnerability 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
When a webpage offers a file who's mime type can't be opened in a browser, 
Internet Explorer usually displays a download window with the filename and its 
type. Previous vulnerabilities have been used to spoof the filename so the 
victim thinks the file is something it isn't. This is one of those 
vulnerabilities. 

Window.createPopup() creates a popup that goes on top of every other window. 
This includes applications other than internet explorer. This doesn't seem like 
the greatest idea, but it could be useful if you want to get urgent information 
out to someone. By placing the popup in a certain location, we can cover up the 
filename and its type in the download window and replace it with our own. One 
more thing, we need to set the popup's onoffload to open itself back up, 
because if the parent window is clicked after a popup opens, the popup is 
closed. 

The example tells internet explorer to download badfile.exe, which of course is 
an 'Application'. A popup is then opened covering up the filename and type and 
replaces it with 'sexycoeds.jpg' (GGW commercial was on when I was writing this 
;) which is a 'JPEG Image'. The viewer should press 'open' to view the sexy 
coeds right away, which will download and run badfile.exe. If you want, you can 
name the executable sexycoeds.exe and change the icon so if the user presses 
'save' windows should hide the extension and it will still look like a jpg 
image. 

[Example]
http://freehost07.websamba.com/greyhats/dlwinspoof.htm