Home page logo

bugtraq logo Bugtraq mailing list archives

RE: playing for fun with <=IE7
From: "avivra" <avivra () gmail com>
Date: Tue, 16 Oct 2007 00:21:10 +0200


This is actually a 3 years old vulnerability.
It can also be used to open any type of file (with .exe extension) using its
external application, instead of opening it with the associated browser
plug-in (if exists).
E.g. I've been able to use this old vuln to automate the PDF attack vector
found by GNUCitizen's pdp.
More info: http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx 


-----Original Message-----
From: laurent.gaffie () gmail com [mailto:laurent.gaffie () gmail com] 
Sent: Friday, October 12, 2007 10:34 PM
To: bugtraq () securityfocus com
Subject: playing for fun with <=IE7

playing for fun with <=IE7 

Impact: who knows ...

Fix Available: no


1) Bug 

2) Proof of concept



1) Bug 


it's possible to bypass the extension filter of <=IE7  this can result by

an arbitrary exe file 


2)proof of concept


let's take this exemple :


this is simply putty .

you click on this and then you will be prompted for downloading the file.

but what about if we do :


... the .exe is showed.

now let's go a bit ahead :


wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).

works with theses extension :











etc ...


5) Conclusion


this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc  you CANT do this. ( overwrite the extension , and then
bypass the filter)

i guess we can wonder what the heck.


regards laurent gaffi×™

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]