TUCoPS :: Browsers :: hack2260.htm

Microsoft Internet Explorer 6 SP2 vulns / Full disclosure Vs. Security by Obscurity...
Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity...

Let's play,

On Wednesday 17, Nov - Secunia released the advisory "Microsoft Internet Explorer Two Vulnerabilities", related to a vulnerability discovered by "cyber flash". This unpatched "file download security warning

bypass" flaw could be exploited to download a malicious executable file masqueraded as a "HTML document". 

Microsoft said : "Secunia you're bad, this vulnerability was not disclosed responsibly"

Secunia said "NO ! No ! We did not release the technical details of this flaw and our policy is to not reveal vulnerability details until a fix had been provided, unless they were already in the wild. We did not discover this vulnerability, so we can not censure it"

Some people said "Who is cyberflash ? perhaps Secunia discovered this flaw, but masked it behind a third party researcher"

K-OTik Says to "Some people" : "cyber flash is not a fictitious security researcher"

K-OTik Says to "MS & Secunia" : "There is no security through obscurity...and full disclosure is our policy"


Internet Explorer 6.0 SP2 File Download Security Warning Bypass


Exploit -> http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php 

Technical Details - > http://www.k-otik.com/exploits/20041119.IESP2disclosure.php 

all credits go to Cyber flash A.K.A Vengy


K-OTik Security Research & Survey Team 24/7


The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches:



Also, here's an example that requires modifying the IIS Error Mapping Properties (see below):



Steps to configure IIS:

Launch Internet Information Services manager.

Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows:

Error Code: 404 

Default Text: Not Found 

Message Type: URL 

URL: /v.exe (name of the executable) 

Within the HTML page, insert an IFRAME as follows:

The file 'vengy404.htm' intentionally doesn't exist on the server, so it will trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame 'NotFound' and is linked to 'funny joke.exe' when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH