Microsoft IE定制404错误及exeCommand SaveAs下载警告绕过漏洞-安全小百科

Microsoft IE定制404错误及exeCommand SaveAs下载警告绕过漏洞

漏洞ID	1201082	漏洞类型	设计错误
发布时间	2004-11-16	更新时间	2005-10-20
CVE编号	CVE-2004-1331	CNNVD-ID	CNNVD-200411-036
漏洞平台	N/A	CVSS评分	2.6

|漏洞来源

https://cxsecurity.com/issue/WLB-2007100041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-036

|漏洞详情

MicrosoftInternetExplorer是一款流行的WEB浏览器。MicrosoftInternetExplorer没有正确处理包含部分字符的URL，远程攻击者可以利用这个漏洞绕过XPSP2的文件下载警告消息而直接下载保存文件。远程用户可以建立一个定制的HTTP404错误消息，并传递这个消息到execCommand’SaveAs’方法来绕过’文件下载’和’文件打开’的安全警告，攻击者可以下载任意文件到目标用户系统而对用户没有警告信息提示。

|漏洞EXP

playing for fun with <=IE7

Impact: who knows ...

Fix Available: no

-------------------------------------------------------

1) Bug

2) Proof of concept

3)Conclusion

======

1) Bug

======

it's possible to bypass the extension filter of <=IE7 this can result by
downloading

an arbitrary exe file

=====

2)proof of concept

=====

let's take this exemple :

http://dams083.free.fr/tmp/putty.exe

this is simply putty .

you click on this and then you will be prompted for downloading the file.

but what about if we do :

http://dams083.free.fr/tmp/putty.exe?1.txt

... the .exe is showed.

now let's go a bit ahead :

http://dams083.free.fr/tmp/putty.exe?1.cda

wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).

works with theses extension :

.log

.dif

.sol

.htt

.itpc

.itms

.dvr-ms

.dib

.asf

.tif

etc ...

=====

5) Conclusion

=====

this is very funny , because actually it only works for .exe extensions.

.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then
bypass the filter)

i guess we can wonder what the heck.

regards laurent gaffi

|参考资料

来源:US-CERTVulnerabilityNote:VU#743974
名称:VU#743974
链接:http://www.kb.cert.org/vuls/id/743974
来源:XF
名称:ie-execommand-warning-bypass(18181)
链接:http://xforce.iss.net/xforce/xfdb/18181
来源:BID
名称:11686
链接:http://www.securityfocus.com/bid/11686
来源:www.frsirt.com
链接:http://www.frsirt.com/exploits/20041119.IESP2Unpatched.php
来源:SECUNIA
名称:13203
链接:http://secunia.com/advisories/13203/
来源:BUGTRAQ
名称:20041119MicrosoftInternetExplorer6SP2Vulnerabilities/FulldisclosureVs.SecuritybyObscurity…
链接:http://archives.neohapsis.com/archives/bugtraq/2004-11/0260.html
来源:SREASON
名称:3220
链接:http://securityreason.com/securityalert/3220

相关推荐: Pyramid BenHur默认防火墙漏洞

Pyramid BenHur默认防火墙漏洞漏洞ID 1203435 漏洞类型配置错误发布时间 2002-12-31 更新时间 2002-12-31 CVE编号 CVE-2002-2307 CNNVD-ID CNNVD-200212-230 漏洞平台 N/…

文章版权归作者所有，未经允许请勿转载。

THE END