MSIE Download Window Filename + Filetype Spoofing Vulnerability

[Paul <paul () greyhats cjb net>]

Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

Download Window Filename + Filetype Spoofing Vulnerability 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
When a webpage offers a file who's mime type can't be opened in a browser, Internet Explorer usually displays a 
download window with the filename and its type. Previous vulnerabilities have been used to spoof the filename so the 
victim thinks the file is something it isn't. This is one of those vulnerabilities. 

Window.createPopup() creates a popup that goes on top of every other window. This includes applications other than 
internet explorer. This doesn't seem like the greatest idea, but it could be useful if you want to get urgent 
information out to someone. By placing the popup in a certain location, we can cover up the filename and its type in 
the download window and replace it with our own. One more thing, we need to set the popup's onoffload to open itself 
back up, because if the parent window is clicked after a popup opens, the popup is closed. 

The example tells internet explorer to download badfile.exe, which of course is an 'Application'. A popup is then 
opened covering up the filename and type and replaces it with 'sexycoeds.jpg' (GGW commercial was on when I was writing 
this ;) which is a 'JPEG Image'. The viewer should press 'open' to view the sexy coeds right away, which will download 
and run badfile.exe. If you want, you can name the executable sexycoeds.exe and change the icon so if the user presses 
'save' windows should hide the extension and it will still look like a jpg image. 

[Example]
http://freehost07.websamba.com/greyhats/dlwinspoof.htm