This posting is a revision of the one sent to Bugtraq on 26 Nov 2001 with the subject "File extensions spoofable in Microsoft IE download dialog" and discusses some details and newly found impacts the vulnerability has. OVERVIEW Due to a flaw in the way Microsoft Internet Explorer handles certain HTTP reply strings, a web site can spoof the name of a file being requested and disguise it as a harmless file. As opposed to what I stated in the previous posting, a variation of this exploit may cause the browser to download and run a program file automatically without any user interaction or decision. This may lead to system compromise when visiting a malicious web site or opening an HTML mail message which directs the user to such site. Opening an e-mail attachment or accepting a file download is NOT required. With some versions of IE, the origin web server of the file being downloaded can also be hidden by using a variation of this exploit. In this case it will show and empty string instead of the host name in the download dialog. Internet Explorer versions 6, 5.5, and 5.0 have been tested and found vulnerable. The only version which hasn't automatically downloaded and started an .exe program in our tests is is 5.5 with Service Pack 2. We don't know whether it could be vulnerable to some other variation of the exploit (different MIME types or other HTTP header contents maybe?). It is however vulnerable to the "plain" file name spoofing attack. VULNERABLE VERSIONS IE File ext Bypassing Hiding file Version spoofing all dialogs origin ---------------------------------------------------------- IE 6 yes yes no IE 5.5 SP2 yes no? yes IE 5.5 yes yes yes IE 5.0 yes yes DETAILS The problem is in the way Internet Explorer handles the Content-type and Content-disposition HTTP headers of a web server reply. With certain combinations of specially crafted reply strings, the browser can be made first to start downloading the file without asking for confirmation from the user, and then to open it - or in this case, run it. The same method which can mislead the user in the "plain" file name spoof variation of the attack can be used to mislead the browser's logics resulting in automatical execution of the program. WORKAROUNDS If the patch for some reason couldn't be applied, disabling file downloads from Tools -> Internet options -> Security -> Custom level -> Downloads/File download seems to stop the exploit. No other known workarounds exist at the moment, except from switching to another browser such as Opera or Netscape, which don't seem to suffer from this problem. VENDOR STATUS Microsoft was initially contacted on November 19th with the information regarding the "file extension spoofing" problem. The Security Warning dialogs of IE5 could be bypassed with that exploit, but the "automatically start an .exe" variation of the vulnerability wasn't known at the time. Microsoft didn't consider the file extension spoofing problem a security vulnerability. The company was informed about the new variation on November 27th and started working on a patch to correct the flaw. The patch is now out and downloadable on Microsoft's site at http://www.microsoft.com/technet/security/bulletin/MS01-058.asp -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
