[From nobody Tue Nov 18 17:13:33 2008 Return-Path: <> X-Original-To: nextgens@freenetproject.org Delivered-To: nextgens@freenetproject.org Received: by emu.freenetproject.org (Postfix, from userid 108) id A5D759BD2E; Thu, 3 Aug 2006 16:03:49 +0000 (UTC) Received: from mx.laposte.net (mx.laposte.net [81.255.54.11]) by emu.freenetproject.org (Postfix) with ESMTP id F34E99BCC3 for <nextgens@freenetproject.org>; Thu, 3 Aug 2006 16:03:44 +0000 (UTC) Delivered-To: nextgens35@laposte.net Received: from smtp.laposte.net (10.150.9.36) by mx.laposte.net (7.2.060.1) id 44D1ACA40004E95B for mailbidon@laposte.net; Thu, 3 Aug 2006 18:03:09 +0200 Received: from outgoing.securityfocus.com (205.206.231.26) by smtp.laposte.net (7.3.105.2) id 0000000000BACFF1 for mailbidon@laposte.net; Thu, 3 Aug 2006 19:04:59 +0200 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for mx.laposte.net [81.255.54.11]) with ESMTP; Thu, 3 Aug 2006 09:02:13 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 1FE861438D5; Thu, 3 Aug 2006 09:20:53 -0600 (MDT) Mailing-List: contact vuln-dev-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:vuln-dev@securityfocus.com> List-Help: <mailto:vuln-dev-help@securityfocus.com> List-Unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com> List-Subscribe: <mailto:vuln-dev-subscribe@securityfocus.com> Delivered-To: mailing list vuln-dev@securityfocus.com Delivered-To: moderator for vuln-dev@securityfocus.com Received: (qmail 3815 invoked from network); 3 Aug 2006 11:12:10 -0000 Date: 3 Aug 2006 10:08:02 -0000 Message-ID: <20060803100802.13243.qmail@securityfocus.com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: knight4vn@yahoo.com To: vuln-dev@securityfocus.com Subject: Automatic MIME type detection in Internet Explorer 6.x allowed X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on emu.dh.bytemark.co.uk X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_00, FORGED_YAHOO_RCVD,NO_REAL_NAME,URIBL_OB_SURBL autolearn=no version=3.0.3 X-Dropzone: ML X-Dropzone-Flag: Security Automatic MIME type detection in Internet Explorer 6.x allowed downloading executable file automatically +Background: What's Internet Explorer automatic MIME type detection? - This feature was included in IE to detect exactly MIME type from file on server sending to browser by using FindMimeFromData method. +Description: - I've found out that using Automatic MIME type detection, we can force IE to download any file (including excutable file) without user's knowledge by causing IE treat executable file as a image (jpg,gif..). Thus, IE automatically download the file regardless of the file type, and save it in "Temporary Internet Files" folder when user visit attacker's website. +Exploitation: - Force user to download any executable files: _ Create a file named "app.exe" with a head body contained any jpg file content to force IE MIME type detection recognize it as a image file. _ When user browse the website which contained the file we've just created. IE simply treat it as a image so it automatically save that file in Temporary folder. * This exploit can be found here: Open this link: http://sendmailplus.com/knight4vn/app1.exe Open this link: http://sendmailplus.com/knight4vn/app2.exe After that, check the appearance of "app1.exe" "app2.exe" in your "Temporary internet folder". - IE treat malicious javascript as a image: * This exploit can be found here: http://www.sendmailplus.com/knight4vn/js.gif http://www.sendmailplus.com/knight4vn/js.jpg http://www.sendmailplus.com/knight4vn/js.png Discovered by: Knight Commander (knight4vn@yahoo.com, knight4vn@vietcert.com) ]