Re: File extensions spoofable in MSIE download dialog

From: staticat_private
Date: Fri Nov 30 2001 - 16:38:37 PST

Next message: Linux Mandrake Security Team: "[Security Announce] MDKSA-2001:077-2 - apache update for Single Network Firewall [Spam]"

Previous message: Johan Burati: "RE: def-2001-32 - Allaire JRun directory browsing vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Other people have emailed me that the vulnerability I described causes IE6.0 to not give a security warning about executing the .exe like IE5.0 does.  In my testing with IE6.0, just clicking on an calc.exe directly does not even give a security warning either.  I dont know much about IE6.0 yet, so maybe someone else will have an answer that can explain why the default config of IE6.0 does not produce the security warning that older versions did when clicking on an .exe directly and choosing open.  The bigger issue to me is how vulnerable IE5.5 sp2.

And to keep people from emailing me telling me thier IE5.5 does have have the vulnerability I described using the readme.txt php script...  IE5.5 sp2 is the only version of IE5.5 that will run the executable without first prompting the user with the real .exe filename so far found(have not tested IE5.5 sp1).  It is rather interesting that IE5.5 without any service pack does not have the vulnerability.  It appears sp2(maybe sp1?) broke something that made this vulnerability possible.

I have to wonder if this is a seperate vulnerability with IE5.5 sp2 than what the initial poster alerted us to.  Until he realeases more info I guess we will never know.

StatiC

On Fri, Nov 30, 2001 at 01:07:05PM +1100, Paul Szabo wrote:
> chefat_private wrote:
> 
> > I testet it right now, with IE6; Q312461 / WinXP and i think
> > there is no problem at all.
> > 
> > First a question for text.txt pops up and when i say "open"
> > a second message with question for save / open pops up.
> > This second popup tells the right name "calc.exe" .
> > Finally when i say "open" it opens the calculator.
> > 
> > For testing: http://www.geilerserver.de/text.txt
> 
> and staticat_private confirmed:
> 
> > It appears only IE5.5 has this problem.  I just tested with IE5.0 sp2 and
> > IE6 and both of those version prompt and wait for user intervention for
> > readme.txt and then wait a second time while prompting to ask to
> > open/saveas calc.exe.
> 
> I still see a problem with IE6. The first dialog says:
> 
>   You are downloading text.txt ...
>   Open  Save  Cancel
> 
> If I choose to save, then the file dialog shows the name calc.exe, but I may
> not pay attention to that; and when it finishes it says:
> 
>   Download complete
>   Saved: calc.exe ...
>   Open  OpenFolder  Close
> 
> and if I choose to open then it runs the rogue application. Unless the user
> pays attention to the names shown, he may unwittingly run the rogue
> application; there is no extra security popup.
> 
> Cheers,
> 
> Paul Szabo - pszat_private  http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics  University of Sydney   2006  Australia

Next message: Linux Mandrake Security Team: "[Security Announce] MDKSA-2001:077-2 - apache update for Single Network Firewall [Spam]"
Previous message: Johan Burati: "RE: def-2001-32 - Allaire JRun directory browsing vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 09:50:59 PST