Full Disclosure mailing list archives
Re: GOOROO CROSSING: File Spoofing Internet Explorer 6
From: Jelmer <jkuperus () planet nl>
Date: Wed, 28 Jan 2004 02:03:04 +0100
Good boy here's a cookie ----- Original Message ----- From: "Thor Larholm" <thor () pivx com> To: <1 () malware com>; <full-disclosure () lists netsys com> Sent: Wednesday, January 28, 2004 1:16 AM Subject: Re: [Full-disclosure] GOOROO CROSSING: File Spoofing Internet Explorer 6
You're not very detailed about what happens behind the curtain, so here
goes :)
When an HTTP request returns its data, IE tries to determine the MIME
type based on several factors [0]. In this case, IE determines that it
cannot render the data as HTML since there is a Content-Disposition
header - Content-Disposition is used whenever you e.g. output a binary
file from a serverside script and want the filename to be displayed as
"ProjectScope.doc" instead of "download.php" (your scripts name).
The Content-Disposition HTTP header itself is not to blame, it is a
standard MIME header from RFC 1806 that has been widely implemented in
all browsers precisely to allow arbitrary filenaming.
Since IE cannot display the data itself, it displays the Open/SaveAs
dialog box so that the user can decide. The %2E in the filename is URL
decoded and displayed as a . (dot) in the dialog. This URL decoding
should simply not be performed as we are dealing with a file dialog and
not a URL dialog, if %2E had not been decoded we would not be having
this issue.
Whatever action the user takes is then handled by Windows Explorer, we
are now no longer dealing with IE. Windows Explorer determines what
application to open the data with based on lesser rules than Internet
Explorer, for one it does not look at the Content-Type header since it
does not know about it. The first step of action is to compare the file
extensions, only in the case of an unknown file extension does Windows
Explorer perform its "magic filetype" guessing by inspecting the files
content.
The file extension in Windows is no longer limited to 3 characters,
though historical reasons have kept most application extensions confined
to these. Windows Explorer parses the filename, excluding its path, and
determines that the file extension is everything following the last .
(dot) character, in this case ".{GUID}%2Efunny.mpeg". Common extensions
are either a set of printable characters or a GUID, with the latter
having priority over the former. After this, a lookup is performed in
the registry for HKCR\CLSID\.GUID and HKCR\.EXT, with EXT being the file
extension that we discovered and GUID the CLSID we found, and a match is
found for the GUID prior to the entire file extension. The GUID points
at "HTML Application" which points at MSHTA.EXE, which is then used to
display the data.
As with the ".Folder" issue, this definitely eases social engineering.
Internet Explorer should not URL decode strings for file dialogs and
Windows Explorer should not give precedence to CLSID's.
[0]
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_
a.asp
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix <http://www.qwik-fix.net>
----- Original Message -----
From: "http-equiv () excite com" <1 () malware com>
To: <full-disclosure () lists netsys com>
Sent: Tuesday, January 27, 2004 9:28 AM
Subject: [Full-disclosure] GOOROO CROSSING: File Spoofing Internet
Explorer
6Tuesday, January 27, 2004 Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all of 'its' patches to date on WIN XP [probably others]: Content-Disposition: attachment; filename=malware.{3050f4d8-98B5- 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg" Absolute bare minimum working demo [perhaps even feeble] as we are absolutely confident the self-appointed resident gooroo will be along shortly handing out packets of two cents to everyone thus saving us the effort to illustrate in even greater detail to those lacking imagination: http://www.malware.com/gooroo.html End Call -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- GOOROO CROSSING: File Spoofing Internet Explorer 6 http-equiv () excite com (Jan 27)
- Re: GOOROO CROSSING: File Spoofing Internet Explorer 6 Thor Larholm (Jan 27)
- Re: GOOROO CROSSING: File Spoofing Internet Explorer 6 Jelmer (Jan 27)
- Re: GOOROO CROSSING: File Spoofing Internet Explorer 6 Jelmer (Jan 27)
- Virus Notification Hell (VNH) Geo. (Jan 28)
- Re: GOOROO CROSSING: File Spoofing Internet Explorer 6 Thor Larholm (Jan 27)