Vulnerability Development mailing list archives
Re: Automatic MIME type detection in Internet Explorer 6.x allowed
From: Thor Larholm <thor () polypath com>
Date: Fri, 04 Aug 2006 12:57:27 +0200
Denis Jedig wrote:
If you change file headers to JPEGs, it's not an executable file any more - that simple.
When the file headers are JPEG it's no longer an executable file - for that specific HTTP session of that specific IEXPLORE instance. Outside those constraints, you have still managed to plant an EXE file in a known/predictable location on the target system.
Even if it were, "downloading" something and placing it in temporary files is not a vulnerability. Executing it is, but this can't happen with the described mechanisms.
Not all vulnerabilities lead to immediate command or code execution. Being able to consistently place an executable file in a known location, however, is an important step in many browser exploit scenarios where you combine several weaknesses to produce the desirable outcome. OBJECT codeBase still allows you to execute files from a known location, you just have to find (yet another) weakness that allows you to circumvent zone boundaries and jump into e.g. HTML help or a whitelisted application such as MSN Messenger, both of which can allow codeBase to still function.
-- Thor Larholm
Current thread:
- Automatic MIME type detection in Internet Explorer 6.x allowed knight4vn (Aug 03)
- Re: Automatic MIME type detection in Internet Explorer 6.x allowed Denis Jedig (Aug 03)
- Re: Automatic MIME type detection in Internet Explorer 6.x allowed Thor Larholm (Aug 04)
- Re: Automatic MIME type detection in Internet Explorer 6.x allowed Denis Jedig (Aug 04)
- Re: Automatic MIME type detection in Internet Explorer 6.x allowed Thor Larholm (Aug 04)
- <Possible follow-ups>
- Re: Re: Automatic MIME type detection in Internet Explorer 6.x allowed none (Aug 10)
- Re: Re: Automatic MIME type detection in Internet Explorer 6.x allowed der wert (Aug 10)
- Re: Automatic MIME type detection in Internet Explorer 6.x allowed Denis Jedig (Aug 03)