Denis Jedig wrote:
> If you change file headers to JPEGs, it's not an executable file any
> more - that simple.
When the file headers are JPEG it's no longer an executable file - for
that specific HTTP session of that specific IEXPLORE instance. Outside
those constraints, you have still managed to plant an EXE file in a
known/predictable location on the target system.
> Even if it were, "downloading" something and placing it in temporary
> files is not a vulnerability. Executing it is, but this can't happen
> with the described mechanisms.
Not all vulnerabilities lead to immediate command or code execution.
Being able to consistently place an executable file in a known location,
however, is an important step in many browser exploit scenarios where
you combine several weaknesses to produce the desirable outcome. OBJECT
codeBase still allows you to execute files from a known location, you
just have to find (yet another) weakness that allows you to circumvent
zone boundaries and jump into e.g. HTML help or a whitelisted
application such as MSN Messenger, both of which can allow codeBase to
still function.
--
Thor Larholm
Received on Aug 04 2006
Intro
