MSIE may download and run programs automatically - details

From: Jouko Pynnonen (joukoat_private)
Date: Mon Jan 14 2002 - 05:58:01 PST

Next message: EnGarde Secure Linux: "[ESA-20020114-002] 'pine' URL handling vulnerability"

Previous message: Tamer Sahin: "Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability"
Next in thread: Jeffrey W. Dronenburg: "MSIE 6.0 will rollback during XP Pro Install -- Ref: MSIE may download and run programs automatically - details"
Reply: Jeffrey W. Dronenburg: "MSIE 6.0 will rollback during XP Pro Install -- Ref: MSIE may download and run programs automatically - details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This posting briefly describes some technical details of the
vulnerability discussed in the Bugtraq messages with the subjects "MSIE
may download and run progams automatically" (Dec 14 2001) and "File
extensions spoofable in MSIE download dialog" (Nov 26 2001).

The flaw allows a malicious web site to make Internet Explorer download
and run programs when a user is visiting the web site or reading an HTML
mail message. By exploiting it, any download and Security Warning dialogs
can be circumvented. The program starts without further user interaction.

The trick is simply to use a null byte in the filename. A malicious web
server can set a filename like "README.TXT%00PROG.EXE" via the
Content-disposition HTTP header. If this kind of filename is set for an
attachment, IE will display just "README.TXT" in the download dialog
(unless patched). Apparently "%00" gets decoded and some of the string
handling functions believe the filename strings ends there. When opening
the file (if the user chooses to "Open" it) though, the whole filename is
used and the program gets run.

If the keyword "inline" is used with the Content-disposition header
instead of "attachment" and the MIME type is chosen right, then the
browser downloads and runs the program without any download dialogs or
warnings. The MIME type of the file can be set via the Content-type HTTP
header. The MIME types causing the file to be automatically run seem to
vary in different IE versions. With IE6 e.g. "text/css" can be used to
produce the effect. With IE5 e.g. "audio/midi" can be used instead.

The "file name spoofing" and "automatic running of programs" issues are
in effect the same null byte vulnerability. The MIME type determines
whether the program gets started automatically or the download dialog is
used.

If you want to check if your browser is vulnerable, you can do it on this
web page:

  http://www.solutions.fi/iebug2

After clicking the link there, a vulnerable IE will download a small
program and run it. The program will run in a DOS window and print a
message. If this happens, you should patch your browser. The patch
has been available since 13 December 2001 at Microsoft's site:

  http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

A non-vulnerable IE will show a download dialog with a filename ending
with ".EXE".



-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
joukoat_private      http://www.solutions.fi    http://www.secmod.com

Next message: EnGarde Secure Linux: "[ESA-20020114-002] 'pine' URL handling vulnerability"
Previous message: Tamer Sahin: "Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability"
Next in thread: Jeffrey W. Dronenburg: "MSIE 6.0 will rollback during XP Pro Install -- Ref: MSIE may download and run programs automatically - details"
Reply: Jeffrey W. Dronenburg: "MSIE 6.0 will rollback during XP Pro Install -- Ref: MSIE may download and run programs automatically - details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 17:09:24 PST