Hi,

This is actually a 3 years old vulnerability.
It can also be used to open any type of file (with .exe extension) using its
external application, instead of opening it with the associated browser
plug-in (if exists).
E.g. I've been able to use this old vuln to automate the PDF attack vector
found by GNUCitizen's pdp.
More info: http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx

--Aviv.

-----Original Message-----
From: laurent.gaffie (at) gmail (dot) com [email concealed] [mailto:laurent.gaffie (at) gmail (dot) com [email concealed]]
Sent: Friday, October 12, 2007 10:34 PM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: playing for fun with <=IE7

playing for fun with <=IE7

Impact: who knows ...

Fix Available: no

-------------------------------------------------------

1) Bug

2) Proof of concept

3)Conclusion

======

1) Bug

======

it's possible to bypass the extension filter of <=IE7 this can result by
downloading

an arbitrary exe file

=====

2)proof of concept

=====

let's take this exemple :

http://dams083.free.fr/tmp/putty.exe

this is simply putty .

you click on this and then you will be prompted for downloading the file.

but what about if we do :

http://dams083.free.fr/tmp/putty.exe?1.txt

... the .exe is showed.

now let's go a bit ahead :

http://dams083.free.fr/tmp/putty.exe?1.cda

wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).

works with theses extension :

.log

.dif

.sol

.htt

.itpc

.itms

.dvr-ms

.dib

.asf

.tif

etc ...

=====

5) Conclusion

=====

this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then
bypass the filter)

i guess we can wonder what the heck.

regards laurent gaffié

[ reply ]