lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9D9E0A829F9FD41195FD00D0B7C9ED290255498F@pikachu.mpddom.internal>
Date: Mon, 12 Jul 2004 13:38:56 -0700
From: "Eric McCarty" <eric@...mpd.com>
To: "Drew Copley" <dcopley@...e.com>, "Paul" <paul@...yhats.cjb.net>,
	<bugtraq@...urityfocus.com>
Subject: RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability


The examples do not work on XP Sp2 version of IE. (6.0.2900.2149).

E.

-----Original Message-----
From: Drew Copley [mailto:dcopley@...e.com]
Sent: Monday, July 12, 2004 11:21 AM
To: Paul; bugtraq@...urityfocus.com
Subject: RE: MSIE Download Window Filename + Filetype Spoofing
Vulnerability


This is an open bug. (One which is rather disturbing, so I am
not sure why Microsoft has chosen to not fix it.)

Date: 21 October 2001 
http://www.guninski.com/popspoof.html

"Demonstration: 

Image moving over download/open dialog: 
http://www.guninski.com/opf2.html "


 

> -----Original Message-----
> From: Paul [mailto:paul@...yhats.cjb.net] 
> Sent: Sunday, July 11, 2004 8:52 AM
> To: bugtraq@...urityfocus.com
> Subject: MSIE Download Window Filename + Filetype Spoofing 
> Vulnerability
> 
> 
> 
> Note: This vulnerability as well as several more can be found 
> at http://www.greyhats.cjb.net
> 
> 
> 
> Download Window Filename + Filetype Spoofing Vulnerability 
> 
> 
> 
> [Tested]
> 
> IEXPLORE.EXE file version 6.0.2800.1106
> 
> MSHTML.DLL file version 6.00.2800.1400
> 
> Microsoft Windows XP sp2 
> 
> 
> 
> [Discussion]
> 
> When a webpage offers a file who's mime type can't be opened 
> in a browser, Internet Explorer usually displays a download 
> window with the filename and its type. Previous 
> vulnerabilities have been used to spoof the filename so the 
> victim thinks the file is something it isn't. This is one of 
> those vulnerabilities. 
> 
> 
> 
> Window.createPopup() creates a popup that goes on top of 
> every other window. This includes applications other than 
> internet explorer. This doesn't seem like the greatest idea, 
> but it could be useful if you want to get urgent information 
> out to someone. By placing the popup in a certain location, 
> we can cover up the filename and its type in the download 
> window and replace it with our own. One more thing, we need 
> to set the popup's onoffload to open itself back up, because 
> if the parent window is clicked after a popup opens, the 
> popup is closed. 
> 
> 
> 
> The example tells internet explorer to download badfile.exe, 
> which of course is an 'Application'. A popup is then opened 
> covering up the filename and type and replaces it with 
> 'sexycoeds.jpg' (GGW commercial was on when I was writing 
> this ;) which is a 'JPEG Image'. The viewer should press 
> 'open' to view the sexy coeds right away, which will download 
> and run badfile.exe. If you want, you can name the executable 
> sexycoeds.exe and change the icon so if the user presses 
> 'save' windows should hide the extension and it will still 
> look like a jpg image. 
> 
> 
> 
> [Example]
> 
> http://freehost07.websamba.com/greyhats/dlwinspoof.htm
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ