RE: playing for fun with <=IE7

To: <laurent.gaffie@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: RE: playing for fun with <=IE7
From: "avivra" <avivra@xxxxxxxxx>
Date: Tue, 16 Oct 2007 00:21:10 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=9qSj8B/53fMZniwsxHVMCc4J26zfZvm/gxRUvgeUDf4=; b=op1cWgVV4kl3c2Uirb/x5CUUrypJVUJ6gREPXGT48THxXqqTbhUPVG5upNq+hlvrbebbIFaNMGtvnujYe1IJDwH6YausDV38zwEDzMj4D20NbpE3kiT+8bBJd35fInJUO30m5ohXh8IlmZUOWgKB/9i7Foq2/cMkj0N8tkXgh0E=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=nr5lD6MF+5q1tHURQWp4JQ2v+MMXS4Py0GoEJJCnpiHWk/D/xRLL/zDJYegs1yAe0RK2mW5iLRCiZS/EmAvOjxF4frX3aGB5XMleaj1J5hyZ8dqBzkMWGeap1a+ceNYiLmpei0YpqWVFaNMOGJTCD5krpeVraN8x9LqBuaRJFL4=
In-reply-to: <20071012203402.26806.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20071012203402.26806.qmail@xxxxxxxxxxxxxxxxx>
Thread-index: AcgNunW2mb4eyjZaStSYMdCvHhImkwBvXGwQ

Hi,

This is actually a 3 years old vulnerability.
It can also be used to open any type of file (with .exe extension) using its
external application, instead of opening it with the associated browser
plug-in (if exists).
E.g. I've been able to use this old vuln to automate the PDF attack vector
found by GNUCitizen's pdp.
More info: http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx 

--Aviv.


-----Original Message-----
From: laurent.gaffie@xxxxxxxxx [mailto:laurent.gaffie@xxxxxxxxx] 
Sent: Friday, October 12, 2007 10:34 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: playing for fun with <=IE7

playing for fun with <=IE7 

Impact: who knows ...

Fix Available: no


-------------------------------------------------------



1) Bug 

2) Proof of concept

3)Conclusion




======

1) Bug 

======

it's possible to bypass the extension filter of <=IE7  this can result by
downloading

an arbitrary exe file 


=====

2)proof of concept

=====

let's take this exemple :

http://dams083.free.fr/tmp/putty.exe

this is simply putty .

you click on this and then you will be prompted for downloading the file.

but what about if we do :

http://dams083.free.fr/tmp/putty.exe?1.txt

... the .exe is showed.

now let's go a bit ahead :

http://dams083.free.fr/tmp/putty.exe?1.cda

wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).

works with theses extension :

.log

.dif

.sol

.htt

.itpc

.itms

.dvr-ms

.dib

.asf

.tif

etc ...

=====

5) Conclusion

=====

this is very funny , because actually it only works for .exe extensions.


.COM , .PIF , etc  you CANT do this. ( overwrite the extension , and then
bypass the filter)

i guess we can wonder what the heck.

 


regards laurent gaffiי

References:
- playing for fun with <=IE7
  - From: laurent . gaffie

Prev by Date: about phpMyAdmin setup.php XSS vulnerability
Next by Date: IRM Vendor Alerts: Six critical remote vulnerabilities in TIBCO SmartPGM FX
Previous by thread: RE: playing for fun with <=IE7
Next by thread: Re: RE: playing for fun with <=IE7
Index(es):
- Date
- Thread