COMMAND

	Internet Explorer file download can be tricked to run programs localy

SYSTEMS AFFECTED

	All versions (until 6.0)

PROBLEM

	When downloading a file, Microsoft Internet Explorer trusts the name  of
	the file in the URL instead of the name in the Content header.
	

	Sample (using PHP on IIS or Apache or...)
	

	

	 - copy calc.exe in html root

	 - edit new file test.txt

	    <?php 

	         Header(\"Content-type: application/octet-stream\");

	         Header(\"Content-Disposition: attachment; filename=calc.exe\");

	         readfile(\"calc.exe\");

	    ?>

	 - point your Internet Explorer browser to http://yourserver/test.txt

	

	

	You will be prompted for downloading or running test.txt,  but  it  will
	download or execute calc.exe.
	

	This bug was discussed by many people on BugTraq.
	

	 Update : 

	 ========

	

	Claimed to be corrected  by  Microsoft  in  security  bulletin  MS01-058
	(http://www.microsoft.com/technet/security/bulletin/MS01-058.asp),   but
	this is FALSE.
	

	MalWare people (http://www.malware.com) reported :
	

	Clearly what this so-called \"patch\" does is convert all embedded  file
	types in MHTML documents viewed in  patched  Internet  Explorer  6  into
	*.TMP files. Previously all file types and file names were retained  and
	if accepted would run.
	

	What that means is when prompted  for  \'opening  or  saving\',  [screen
	shot: http://www.malware.com/dumbload.jpg 14KB],  if  your  hand  should
	slip or if you do not know any better and select \'open\',  because  the
	file extension is *.TMP, you will be asked \'what do you  want  to  open
	the file with\' (screen  shot:  http://www.malware.com/sesame.jpg  20KB)
	which does indeed kill any accidental or running of the file.
	

	 Working example

	 ===============

	

	 [open in IE6 \"patched\"]

	

	http://www.malware.com/badman.zip 11KB

	

	Before the patch and under an MTHML file situated on the  web  site  and
	viewed with  Internet  Explorer  6,  you  would  be  in  a  position  to
	manipulate the file extension and download box as displayed here:
	

	[screen shot: http://www.malware.com/ohno.jpg 27KB] 

	

	

	Now    with    the    so-called    \"patch\",    regardless    of    the
	filename=\"malware.exe\" or the  Content-Type:  image/gif;  combination,
	everything is effectively converted to a *.TMP  file  in  the  Temporary
	Internet File. Attempting to open the *.TMP, depending  on  what  it  is
	will either bring up the \'what do you want  to  open  the  file  with\'
	box, or display the file as plain text.
	

	Dangerous files such as *.exe or *.scr or *.bat simply will not  run  if
	you elect to run the  file  through  the  Internet  Explorer  6  patched
	browser. Sounds good.
	

	Unfortunately, while she did a fairly reasonable job on  this  so-called
	\"patch\" she forgot one of the most important content-types.  Her  very
	own invention. The one and only:
	

	

	Content-Type: application/hta;

	

	

	We are still able to invoke a download, that if  accepted  will  execute
	our malware on the target computer,  through  the  \"patched\"  Internet
	Explorer 6.
	

	This newly found creation of download file conversion through  MHTML  to
	generic  *.TMP  file  name  on  the  download  box  coupled   with   the
	\'supposed\' security of this so-called \"patch\" will  most  definitely
	yield plenty of quick prey:
	

	

	 Working Example

	 ===============

	 [self explanatory includes harmless *.exe, open in IE6 \"patched\"]

	

	http://www.malware.com/dumbload.zip 4KB

	

	

	

	 ------------------------------------------------------------------

	

	 Other exploits

	 ==============

	

	By jelmer : Here\'s another way to go  about  it  (without  the  use  of
	mhtml files)
	

	

	  package nl.xs4all.kuperus.exploits;

	  

	  import javax.servlet.http.HttpServlet;

	  import javax.servlet.http.HttpServletRequest;

	  import javax.servlet.http.HttpServletResponse;

	  import javax.servlet.ServletException;

	  import java.io.IOException;

	  import java.io.PrintWriter;

	  

	  public class SpoofIt extends HttpServlet {

	  

	      protected void doGet(HttpServletRequest request,

	HttpServletResponse response) throws ServletException, IOException {

	  

	          response.setContentType(\"application/hta\");

	          response.setStatus(201);

	  

	          PrintWriter out = response.getWriter();

	          out.write(\"this is a hta\");

	  

	      }

	  

	      protected void doPost(HttpServletRequest request,

	HttpServletResponse response) throws ServletException, IOException {

	          super.doGet(request, response);

	      }

	  }

	

	

	Once the user clicks on open the hta file is started  according  to  its
	mime type Application/hta. all the time  the  user  is  thinking  it  is
	actually a .txt file
	

	On ie 5.5 this works even without the response code set to 200 On  ie  6
	with all patches in place including the  latest  \'mega  pack  :)\'  you
	have to set the content type to something other  then  200  or  the  hta
	extension will show
	

	A working example is available at
	

	http://kuperus.xs4all.nl/microsoft.txt

	

	

	 -----------------------------------------------------------------

	

	 Exploit by Georgi Guninski :

	

	A modification in perl which don\'t need playing with 200 is:
	

	...

	print \"Content-type: application/hta\\n\";

	print \"Content-disposition: inline; filename=\\\"readme.txt\\\"\\n\";

	...more stuff...

	

	

	This works on the so called \"patched\" IE 6.0.
	

	 Update : (15 January 2002)

	 ======

	

	Jouko Pynnonen [http://www.solutions.fi] adds :
	

	The flaw allows a malicious web site to make Internet Explorer  download
	and run programs when a user is visiting the  web  site  or  reading  an
	HTML mail message. By exploiting it, any download and  Security  Warning
	dialogs can be circumvented. The program  starts  without  further  user
	interaction.
	

	The trick is simply to use a null byte in the filename. A malicious  web
	server  can  set  a  filename  like  \"README.TXT%00PROG.EXE\"  via  the
	Content-disposition HTTP header. If this kind of filename is set for  an
	attachment, IE will display just \"README.TXT\" in the  download  dialog
	(unless patched). Apparently  \"%00\"  gets  decoded  and  some  of  the
	string handling functions believe the filename strings ends there.  When
	opening the file (if the user chooses to \"Open\" it) though, the  whole
	filename is used and the program gets run.
	

	If the keyword \"inline\" is used with  the  Content-disposition  header
	instead of \"attachment\" and the MIME type is chosen  right,  then  the
	browser downloads and runs the program without any download  dialogs  or
	warnings. The MIME type of the file can  be  set  via  the  Content-type
	HTTP header. The MIME types causing the file  to  be  automatically  run
	seem to vary in different IE versions. With IE6  e.g.  \"text/css\"  can
	be used to produce the effect. With IE5 e.g. \"audio/midi\" can be  used
	instead.
	

	The \"file name spoofing\" and \"automatic running of programs\"  issues
	are  in  effect  the  same  null  byte  vulnerability.  The  MIME   type
	determines  whether  the  program  gets  started  automatically  or  the
	download dialog is used.
	

	If you want to check if your browser is vulnerable, you  can  do  it  on
	this web page:
	

	  http://www.solutions.fi/iebug2

	

	After clicking the link there, a vulnerable IE  will  download  a  small
	program and run it. The program will run in a DOS  window  and  print  a
	message. If this happens, you should patch your browser.

SOLUTION

	Check :
	

	 http://www.microsoft.com/technet/security/bulletin/MS01-058.asp