Vulnerability Development mailing list archives
Re: possible new "e-mail virus" concept ? + bypassing IE settings
From: 11a () GMX NET (Bluefish)
Date: Sun, 21 May 2000 00:28:28 +0200
When opening this page in I.E., the complete file got downloaded (I.E. assumed this was a .BMP file), however it showed a red cross in I.E. like the ones you get with image not found. If i changed the BM back to MZ and renamed it back to file.exe I was able to run this program, i even did a binary file compare and it was exactly the same as the original one. (so no stripping occured.)
This is expected... Would be surprsing if it was any other way around.
While looking for a way to bypass the Internet Explorer (I.E.) Security setting that disables all downloads a while ago, i noticed that I.E. automatically downloads image files, (unless you have images disabled) and stores them in the "temporary internet files" folder.
LOL, I wasn't aware of the option. Someone relying upon that to work must have missed the "covert channel" subject when learning computer security. However, you don't need "image" binaries to get around this function. A simple HMTL file will do well (if it checks against binaries, simply make a valid HTML files containing your executable somehow [like in the .bat example). This would be easier/more reliable, IMHO.
Meanwhile, i noticed that the image files for I.E. don't need to have a valid image file extension, anything will work fine. (and IE uses temporary files with the same name as the original files.)
You seem to be a bit off here, and at some other lines in your mail. The internet standard (well, IE does a few exceptions from this, but...) is relying upon what the server identifies the files as (MIME). To make a http claim whatever you like isn't even a coding problem, it's a mere configuration problem. Especially given interactive pages, it would be very stpid to rely on the receiver to identify what an incomming file is.
(I could use some %codes in the filename in the .html to scramble the dir and fool I.E.) That way, we might be able to save the temporary files in other dirs then "the temporary internet files" folder.
I feel fairly certain the IE bug you are assuming to exist doesn't. Feel free to test it, but I feel rather certain what the result will be. If it exists such a bug in IE, some coders should be sent to the torture chambers for a few days... Well, you seem to be entirely off in your understanding of the HTTPD workings, but it was intressting to find out that microsoft has such a stupid thing like forbidding userdownload. (but it might do some good as it stops the stupid people from downloading without understanding what they do, but it's no way to defend yourself from insiders bringing stuff in) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: UPDATE on possible new "e-mail virus" concept ?, (continued)
- Re: UPDATE on possible new "e-mail virus" concept ? Jim Paris (May 19)
- Re: UPDATE on possible new "e-mail virus" concept ? Jon Williams (May 20)
- Windows IP Fragment Reassembly Vulnerability Masial (May 20)
- Re: Windows IP Fragment Reassembly Vulnerability Mikael Olsson (May 21)
- Re: Outlook HTML VBS (demo) Michael Hendy (May 21)
- Re: Outlook HTML VBS (demo) Masial (May 22)
- Re: Windows IP Fragment Reassembly Vulnerability Blue Boar (May 21)
- Re: UPDATE on possible new "e-mail virus" concept ? Jim Paris (May 19)
- krb5 1.1.1 Mariusz Woloszyn (May 22)
- Re: Windows IP Fragment Reassembly Vulnerability Pete Philips (May 23)
- Re: UPDATE on possible new "e-mail virus" concept ? Bluefish (May 20)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Silvio L. Nisgoski (May 19)
- Anyone have a copy of the New LoveYou code! Rich Dube (May 19)