轉貼 防範 IE 新漏洞(1)&(2) - PCZONE 討論區

返回   PCZONE 討論區 > ▲ ADSL_CABLE_FTTH 寬 頻 上 網 討 論 > -- 防 駭 / 防 毒 版



-- 防 駭 / 防 毒 版 不論你是使用固定 IP 或是 DHCP 一定都有機會被無聊的駭客入侵 , 來這裡跟大家作防駭以及防毒的心得與資訊分享。

轉貼 防範 IE 新漏洞(1)&(2)
IE新漏洞 駭客將通行無阻 12/17

防範 IE 新漏洞(1)


IE新漏洞 駭客將通行無阻 12/17

Source -- [ Infopro.com資傳網 ]


這家名為Oy Online Solution的公司指出,駭客可以利用特定的網址與HTTP表頭,讓下

Oy Online Solutions的總經理傑基•薩爾米(Jyrki Salmi)表示,微軟在十一月底就

這漏洞所影響的版本包括了IE 5.0、5.5、以及6.x。薩爾米建議使用者在升級程式推出


上面是有關報導,下面是 Bugtraq 的原文;


A flaw in Microsoft Internet Explorer allows a malicious website to spoof
file extensions in the download dialog to make an executable program file
look like a text, image, audio, or any other file. If the user chooses to
open the file from its current location, the executable program will be
run, circumventing Security Warning dialogs, and the attacker could gain
control over the user's system.

A piece of HTML can be used to cause a normal download dialog to pop up.
The dialog would prompt the user to choose whether he/she wants to "open
this file from its current location" or "save this file to disk". The
file name and extension may be anything the malicious website
administrator (or a user having access there) wishes, e.g. README.TXT,
index.html, or sample.wav. If the user chooses the first alternative,
"open the file from its current location", an .EXE application is
actually run without any further dialogs. This happens even if
downloading a normal .EXE file from the server causes a Security Warning

The user has no way of detecting that the file is really an .EXE
program and not a text, html, or other harmless file. The program could
quietly backdoor or infect the user's system, and then pop up a window
which does what the user expected, ie. show a text document or
play an audio file.

No active scripting is necessary in order to exploit the flaw. The
malicious website can be refered e.g. in an iframe, in a normal link, or
by javascript.


The flaw is in the way Internet Explorer processes certain kind of URLs
and HTTP headers. No further technical details are disclosed this time,
as there is no proper workaround and the vulnerability could be
relatively easily and unnoticeably exploited to spread virii, install
DDoS zombies or backdoors, format harddisks, and so on.

The flaw has been successfully exploited with Internet Explorer 5.5 and
6. An IE5 with the latest updates shows the spoofed file name and
extension without a sign of EXE, and issue no Security Warning dialog
after the file download dialog.

Internet Explorer 6 is exploitable in a slightly different way, but the
effect is the same. The user gets a download dialog with the spoofed file
name and extension, and can choose between "Open" and "Save". Opening the
file causes the program to be run.

Older versions such as IE5.0 behave somewhat differently. The dialog
indicates the user is about to execute an application; the dialog has the
word "execute" instead of "open", and a Security Warning dialog appears
after choosing "execute". It still shows the spoofed file name and
extension instead of "EXE".

Any way to skip all dialogs, ie. to run an application without ANY
dialog with this vulnerability has NOT been found. In all variations of
the exploit there is always the normal file download dialog, but the
following Security Warning dialog is skipped.

Technical details of the vulnerability will be revealed later.


Opening a file type previously considered safe, e.g. plain text or HTML
file isn't safe with IE. Users of the browser should avoid opening
files directly and save them to disk instead (if opening them is
necessary at all). If this flaw is being exploited, the file save dialog
will reveal that the file is actually an executable program. Dealing with
files from an untrusted source isn't advisable anyway. Another workaround
is switching to another browser such as Opera or Netscape which don't
seem to have this vulnerability.


Microsoft was contacted on November 19th. The company doesn't currently
consider this is a vulnerability; they say that the trust decision should
be based on the file source and not type. The origin of the file, ie. the
web server's hostname can't be spoofed with this flaw. It's not known
whether a patch is going to be produced. Microsoft is currently
investigating the issue.


This posting is a revision of the one sent to Bugtraq on 26 Nov 2001 with
the subject "File extensions spoofable in Microsoft IE download dialog"
and discusses some details and newly found impacts the vulnerability has.


Due to a flaw in the way Microsoft Internet Explorer handles certain HTTP
reply strings, a web site can spoof the name of a file being requested
and disguise it as a harmless file. As opposed to what I stated in the
previous posting, a variation of this exploit may cause the browser
to download and run a program file automatically without any user
interaction or decision. This may lead to system compromise when visiting
a malicious web site or opening an HTML mail message which directs the
user to such site. Opening an e-mail attachment or accepting a file
download is NOT required.

With some versions of IE, the origin web server of the file being
downloaded can also be hidden by using a variation of this exploit. In
this case it will show and empty string instead of the host name in the
download dialog.

Internet Explorer versions 6, 5.5, and 5.0 have been tested and found
vulnerable. The only version which hasn't automatically downloaded and
started an .exe program in our tests is is 5.5 with Service Pack 2. We
don't know whether it could be vulnerable to some other variation of the
exploit (different MIME types or other HTTP header contents maybe?). It
is however vulnerable to the "plain" file name spoofing attack.


IE File ext Bypassing Hiding file
Version spoofing all dialogs origin
IE 6 yes yes no
IE 5.5 SP2 yes no? yes
IE 5.5 yes yes yes
IE 5.0 yes yes


The problem is in the way Internet Explorer handles the Content-type and
Content-disposition HTTP headers of a web server reply. With certain
combinations of specially crafted reply strings, the browser can be made
first to start downloading the file without asking for confirmation from
the user, and then to open it - or in this case, run it.

The same method which can mislead the user in the "plain" file name spoof
variation of the attack can be used to mislead the browser's logics
resulting in automatical execution of the program.


If the patch for some reason couldn't be applied, disabling file
downloads from Tools -> Internet options -> Security -> Custom level ->
Downloads/File download seems to stop the exploit. No other known
workarounds exist at the moment, except from switching to another browser
such as Opera or Netscape, which don't seem to suffer from this problem.


Microsoft was initially contacted on November 19th with the information
regarding the "file extension spoofing" problem. The Security Warning
dialogs of IE5 could be bypassed with that exploit, but the "automatically
start an .exe" variation of the vulnerability wasn't known at the time.
Microsoft didn't consider the file extension spoofing problem a security
vulnerability. The company was informed about the new variation on
November 27th and started working on a patch to correct the flaw. The
patch is now out and downloadable on Microsoft's site at


Jouko Pynnonen Online Solutions Ltd Secure your Linux -
[email protected] http://www.solutions.fi http://www.secmod.com


我還沒時間仔細研究,不過看來可能會成為另一波 Nimda 病毒感染的新途徑,各位趕快去以下網址修補漏洞:


這個漏洞最主要講的內容是有關 IE 判斷副檔名錯誤的問題,各位可以去以下網址試試:


當你點選它時,你可以看到 IE 出現一個下載畫面的視窗,下載的檔案看起來是一個附檔名 TXT 的純文字檔

一般來說使用者看到 TXT 檔都不疑有它,會選擇直接開啟,但利用 IE 這個檢查副檔名錯誤的漏洞,惡意的伺服器管理員,可以把類似 HTA 的執行檔傳到你電腦上,接著自動開啟,如圖所示,所以可以藉由此方式來散佈病毒或特洛依木馬:


因為沒有進一步的技術資料,所以我用 Sniffer 擷取了該封包的內容,如下:

注意到 「Content-Type」欄位嗎? 看起來是因為 IE 沒有把 Content-Type 和原始副檔名做比對的緣故,而開啟檔案時,微軟的 IE 在收到 HTTP 協定內的「Content-Type」欄位裡面的 application/hta ,就急急忙忙呼叫 MSHTA 去處理,完全忘了當初副檔案的檔名是 TXT 文字檔.......
防範 IE 新漏洞(2)-奇怪的 MS01-058 更新?


底下是微軟 Microsoft Security Bulletin MS01-058 的說明

The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in an HTML stream. These fields, the hosting URL, and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was actually a different type of file -- one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a web page or HTML mail that, when opened, would automatically run an executable on the user's system. This vulnerability affects IE 6.0 only. It does not affect IE 5.5.
The second vulnerability is a newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-015. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site’s domain and the other on the user’s local file system, and to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be opened in a browser window. This vulnerabilty affects both IE 5.5 and 6.0.
The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0.
可以看到這項更正程式修正了三個錯誤。其中第三個錯誤應該就是我前一篇「防範 IE 漏洞(1)」裡面提到的情形,可是網友 yen 來信詢問,說他裝了 MS01-058 更正程式之後,下載視窗還是依然顯示是下載 txt 檔案....

我為了驗證原因,特別將我不想升級的 IE 升級到 6.0 版,然後也裝了 MS01-058 修正程式,結果媽的勒....修正還是一樣,下載依然是顯示 txt 檔案,而且 IE 6.0 更慘,它的按鈕預設值竟然是 「開啟」,這樣不小心就更容易執行到這個披著 txt 外皮,實則 hta 執行檔的狼。



The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0.

(不過這樣的話,幹嘛要安裝修正程式???......笨笨搞不懂的 Hackland 站長)


根據 Purk 兄的測試結果, 我也進行了修正測試
自修正後竟發現我的伺服器無法再執行 ASP 的程式
無論是 localHost 的 ASP, 或是他站的 ASP, 都無法再執行了,
幸好平時我都會將系統碟作完整備份, 要不然遇上了這種無法移除的致命修正就完了.
Re: 另一測試結果
最初由 galrie 發表
根據 Purk 兄的測試結果, 我也進行了修正測試
自修正後竟發現我的伺服器無法再執行 ASP 的程式
無論是 localHost 的 ASP, 或是他站的 ASP, 都無法再執行了,
幸好平時我都會將系統碟作完整備份, 要不然遇上了這種無法移除的致命修正就完了.
對不起, 晚進一時誤查, 將上述之測試同時與病毒防護程式之病毒碼更新同時進行,
而且作了數次都沒有跳過此一環節, 故有以上之測試結果.
今晚進將硬碟資料還原, 並將病毒防護程式 Norton AntiVirus 停止更新病毒碼後,
發現 MicroSoft 的修正程式並未造成本站伺服器無法執行ASP應用程式之影響 (http://cctv.oknet.idv.tw)
若有造成網友之不便, 敬請原諒.

註: 晚進原採用的 Norton AntiVirus 版本為 7.07.23D, 確定會造成上述之問題,
後來改為 Norton AntiVirus C.E 版本 7.50.846 之後, 才恢復正常.
酷 拉 皮 卡

最初由 GKLin 發表



主題 主題作者 討論版 回覆 最後發表
[原创]WLAN身份认证与计费考虑 chenlun -- 無 線 網 路 版 0 2004-10-19 06:59 PM
请问各位大虾,怎样找回删除的文件? dzhao -- 其 他 軟 體 討 論 版 1 2001-11-21 02:18 PM
请教在局域网上实现视频点播的&am ttnjw -- 網 路 技 術 版 20 2001-09-15 11:24 AM

 XML   RSS 2.0   RSS 
本站使用 vBulletin 合法版權程式
站務信箱 : [email protected]

本論壇所有文章僅代表留言者個人意見,並不代表本站之立場,討論區以「即時留言」方式運作,故無法完全監察所有即時留言,若您發現文章可能有異議,請 email :[email protected] 處理。