Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: GOOROO CROSSING: File Spoofing Internet Explorer 6

From: "Oliver Lavery" <olavery () pivx com>
Date: Tue, 27 Jan 2004 16:54:57 -0500

        For those who don't have their http-equiv speak secret-decoder-ring
with them, the GUID in this file extension causes the file to be treated as
an HTML Application instead of the mpeg file it 'appears' to be.

        However, if you try out the 'demo', you'll see that you get prompted
with the standard IE Open/Save dialog box that warns the user that opening
files can be dangerous. That dialog doesn't list any file type for the file,
MPEG or otherwise. The only thing that's misleading is that the file appears
to have a .mpeg extension. If you save the file to disk, as opposed to
opening it directly, then it's treated as a .mpeg, as you would expect.

        Personally I don't think this is much of an issue. This trick makes
a file _sort_of_ appear to be of a different type than it actually is.
Opening content from the web directly is dangerous, we all knew that
already. For this trick to be used as an attack vector, a user must
intervene and do something which is known to be dangerous, and labelled as
such. IE should proabably display the correct file-type 'HTML Application'
instead of leaving this part of the dialog blank.

        The real problem is that IE makes it far too easy for users to run
executable content that's downloaded from the web. That's just a bad idea. 

Cheers,
~x



-----Original Message-----
From: http-equiv () excite com [mailto:1 () malware com] 
Sent: January 27, 2004 12:27 PM
To: bugtraq () securityfocus com
Cc: NTBugtraq () listserv ntbugtraq com
Subject: GOOROO CROSSING: File Spoofing Internet Explorer 6




Tuesday, January 27, 2004 

Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all 
of 'its' patches to date on WIN XP [probably others]:

Content-Disposition: attachment; 
filename=malware.{3050f4d8-98B5- 
11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg"

Absolute bare minimum working demo [perhaps even feeble] as we 
are absolutely confident the self-appointed resident gooroo will 
be along shortly handing out packets of two cents to everyone 
thus saving us the effort to illustrate in even greater detail 
to those lacking imagination:



http://www.malware.com/gooroo.html



End Call

-- 
http://www.malware.com




---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.558 / Virus Database: 350 - Release Date: 02/01/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.558 / Virus Database: 350 - Release Date: 02/01/2004
Previous By Date Next
Previous By Thread Next

Current thread: