[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: playing for fun with <=IE7
This is actually a 3 years old vulnerability.
It can also be used to open any type of file (with .exe extension) using its
external application, instead of opening it with the associated browser
plug-in (if exists).
E.g. I've been able to use this old vuln to automate the PDF attack vector
found by GNUCitizen's pdp.
More info: http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx
From: laurent.gaffie@xxxxxxxxx [mailto:laurent.gaffie@xxxxxxxxx]
Sent: Friday, October 12, 2007 10:34 PM
Subject: playing for fun with <=IE7
playing for fun with <=IE7
Impact: who knows ...
Fix Available: no
2) Proof of concept
it's possible to bypass the extension filter of <=IE7 this can result by
an arbitrary exe file
2)proof of concept
let's take this exemple :
this is simply putty .
you click on this and then you will be prompted for downloading the file.
but what about if we do :
... the .exe is showed.
now let's go a bit ahead :
wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).
works with theses extension :
this is very funny , because actually it only works for .exe extensions.
.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then
bypass the filter)
i guess we can wonder what the heck.
regards laurent gaffiי