MSIE may download and run progams automatically

[Jouko Pynnonen <jouko () solutions fi>]

This posting is a revision of the one sent to Bugtraq on 26 Nov 2001 with
the subject "File extensions spoofable in Microsoft IE download dialog"
and discusses some details and newly found impacts the vulnerability has.



OVERVIEW

Due to a flaw in the way Microsoft Internet Explorer handles certain HTTP
reply strings, a web site can spoof the name of a file being requested
and disguise it as a harmless file. As opposed to what I stated in the
previous posting, a variation of this exploit may cause the browser
to download and run a program file automatically without any user
interaction or decision. This may lead to system compromise when visiting
a malicious web site or opening an HTML mail message which directs the
user to such site. Opening an e-mail attachment or accepting a file
download is NOT required.

With some versions of IE, the origin web server of the file being
downloaded can also be hidden by using a variation of this exploit. In
this case it will show and empty string instead of the host name in the
download dialog.

Internet Explorer versions 6, 5.5, and 5.0 have been tested and found
vulnerable. The only version which hasn't automatically downloaded and
started an .exe program in our tests is is 5.5 with Service Pack 2. We
don't know whether it could be vulnerable to some other variation of the
exploit (different MIME types or other HTTP header contents maybe?). It
is however vulnerable to the "plain" file name spoofing attack.



VULNERABLE VERSIONS

IE            File ext     Bypassing      Hiding file
Version       spoofing     all dialogs    origin
----------------------------------------------------------
IE 6          yes          yes            no
IE 5.5 SP2    yes          no?            yes
IE 5.5        yes          yes            yes
IE 5.0        yes          yes



DETAILS

The problem is in the way Internet Explorer handles the Content-type and
Content-disposition HTTP headers of a web server reply. With certain
combinations of specially crafted reply strings, the browser can be made
first to start downloading the file without asking for confirmation from
the user, and then to open it - or in this case, run it.

The same method which can mislead the user in the "plain" file name spoof
variation of the attack can be used to mislead the browser's logics
resulting in automatical execution of the program.



WORKAROUNDS

If the patch for some reason couldn't be applied, disabling file
downloads from Tools -> Internet options -> Security -> Custom level ->
Downloads/File download seems to stop the exploit. No other known
workarounds exist at the moment, except from switching to another browser
such as Opera or Netscape, which don't seem to suffer from this problem.



VENDOR STATUS

Microsoft was initially contacted on November 19th with the information
regarding the "file extension spoofing" problem. The Security Warning
dialogs of IE5 could be bypassed with that exploit, but the "automatically
start an .exe" variation of the vulnerability wasn't known at the time.
Microsoft didn't consider the file extension spoofing problem a security
vulnerability. The company was informed about the new variation on
November 27th and started working on a patch to correct the flaw. The
patch is now out and downloadable on Microsoft's site at

http://www.microsoft.com/technet/security/bulletin/MS01-058.asp




-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko () solutions fi      http://www.solutions.fi    http://www.secmod.com