Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: playing for fun with <=IE7
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sat, 13 Oct 2007 14:05:44 -0400

It is interesting. I've even confirmed the behavior with IE 7 in Vista.

Although the real concern is if it could be used in an exploitation? 

The examples below aren't exploitable...just interesting outcomes.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470101555
*****************************************************************


-----Original Message-----
From: laurent.gaffie () gmail com [mailto:laurent.gaffie () gmail com] 
Sent: Friday, October 12, 2007 4:34 PM
To: bugtraq () securityfocus com
Subject: playing for fun with <=IE7

playing for fun with <=IE7
Impact: who knows ...
Fix Available: no

-------------------------------------------------------


1) Bug
2) Proof of concept
3)Conclusion



======
1) Bug 
======
it's possible to bypass the extension filter of <=IE7  this can result by downloading
an arbitrary exe file 

=====
2)proof of concept
=====
let's take this exemple :
http://dams083.free.fr/tmp/putty.exe
this is simply putty .
you click on this and then you will be prompted for downloading the file.
but what about if we do :
http://dams083.free.fr/tmp/putty.exe?1.txt
... the .exe is showed.
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
.log
.dif
.sol
.htt
.itpc
.itms
.dvr-ms
.dib
.asf
.tif
etc ...
=====
5) Conclusion
=====
this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc  you CANT do this. ( overwrite the extension , and then bypass the filter)
i guess we can wonder what the heck.
 

regards laurent gaffiƩ


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]