lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040711155226.28273.qmail@www.securityfocus.com>
Date: 11 Jul 2004 15:52:26 -0000
From: Paul <paul@...yhats.cjb.net>
To: bugtraq@...urityfocus.com
Subject: MSIE Download Window Filename + Filetype Spoofing Vulnerability




Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

Download Window Filename + Filetype Spoofing Vulnerability 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
When a webpage offers a file who's mime type can't be opened in a browser, Internet Explorer usually displays a download window with the filename and its type. Previous vulnerabilities have been used to spoof the filename so the victim thinks the file is something it isn't. This is one of those vulnerabilities. 

Window.createPopup() creates a popup that goes on top of every other window. This includes applications other than internet explorer. This doesn't seem like the greatest idea, but it could be useful if you want to get urgent information out to someone. By placing the popup in a certain location, we can cover up the filename and its type in the download window and replace it with our own. One more thing, we need to set the popup's onoffload to open itself back up, because if the parent window is clicked after a popup opens, the popup is closed. 

The example tells internet explorer to download badfile.exe, which of course is an 'Application'. A popup is then opened covering up the filename and type and replaces it with 'sexycoeds.jpg' (GGW commercial was on when I was writing this ;) which is a 'JPEG Image'. The viewer should press 'open' to view the sexy coeds right away, which will download and run badfile.exe. If you want, you can name the executable sexycoeds.exe and change the icon so if the user presses 'save' windows should hide the extension and it will still look like a jpg image. 

[Example]
http://freehost07.websamba.com/greyhats/dlwinspoof.htm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ