This posting briefly describes some technical details of the vulnerability discussed in the Bugtraq messages with the subjects "MSIE may download and run progams automatically" (Dec 14 2001) and "File extensions spoofable in MSIE download dialog" (Nov 26 2001). The flaw allows a malicious web site to make Internet Explorer download and run programs when a user is visiting the web site or reading an HTML mail message. By exploiting it, any download and Security Warning dialogs can be circumvented. The program starts without further user interaction. The trick is simply to use a null byte in the filename. A malicious web server can set a filename like "README.TXT%00PROG.EXE" via the Content-disposition HTTP header. If this kind of filename is set for an attachment, IE will display just "README.TXT" in the download dialog (unless patched). Apparently "%00" gets decoded and some of the string handling functions believe the filename strings ends there. When opening the file (if the user chooses to "Open" it) though, the whole filename is used and the program gets run. If the keyword "inline" is used with the Content-disposition header instead of "attachment" and the MIME type is chosen right, then the browser downloads and runs the program without any download dialogs or warnings. The MIME type of the file can be set via the Content-type HTTP header. The MIME types causing the file to be automatically run seem to vary in different IE versions. With IE6 e.g. "text/css" can be used to produce the effect. With IE5 e.g. "audio/midi" can be used instead. The "file name spoofing" and "automatic running of programs" issues are in effect the same null byte vulnerability. The MIME type determines whether the program gets started automatically or the download dialog is used. If you want to check if your browser is vulnerable, you can do it on this web page: http://www.solutions.fi/iebug2 After clicking the link there, a vulnerable IE will download a small program and run it. The program will run in a DOS window and print a message. If this happens, you should patch your browser. The patch has been available since 13 December 2001 at Microsoft's site: http://www.microsoft.com/technet/security/bulletin/MS01-058.asp A non-vulnerable IE will show a download dialog with a filename ending with ".EXE". -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
