Author Topic: IE exploit filter  (Read 2765 times)

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
IE exploit filter
« on: January 23, 2002, 10:50:04 AM »
By Mona:

This filter will kill a file trying to be
"slipped in and launched" through the use
of the IE %00 exploit. If someone goes
through the trouble to include the exploit,
the file must be assumed to be malicious.

--------------8<---------------
In = TRUE
Out = FALSE
Key = "BLOCKED: Kill IE %00 Exploit File (in)"
Match =
"(*|(^?))&($IHDR(Content-Disposition:*filename=$AV(*%00*)*)|$URL(*%00*))"
Replace = "IE %00 EXPLOIT FILEk"
--------------8<---------------

I threw in a check for a %00 anywhere in the
URL as well, although I don't know if IE can
be exploited in this manner through the URL
itself. Somehow I doubt it, but better to be
safe than sorry.
Best wishes
Arne
Imici username= Arne

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
IE exploit filter
« Reply #1 on: January 23, 2002, 10:51:48 AM »
Also by Mona:

These next two filters are regarding a different IE
exploit. JarC helped explain it much this way:

----------------------------------------------------------
When clicking a link, the URL indicates that File A is being returned. When
the response is returned, however, there is a second file/filename attached as
indicated in the header "Content-Disposition: attachment [OR inline];
filename=[File B]". Depending on the content-type specified for the file in
the *URL*, either an automatic download occurs followed by a subsequent
execution of the "attachment" (NO prompt!), OR you are presented with a dialog
asking if you want to 'Open' or 'Save' the file. When prompted, however, the
name that is displayed in the initial dialog is for File A, not the actual
filename as indicated in the content-disposition header (File B).

If you choose 'Open', once again File B auto-loads; but if you choose 'Save',
the filename for File B *is* finally displayed in the save dialog in all
versions of IE. At this point, a danger still exists as the user may not
notice the difference in filenames between the initial prompt and the save
dialog.

[HTTP headers]

In = TRUE
Out = FALSE
Key = "Content-Disposition: [IE Exploit] Reveal Attached Filename (in)"
Match = "*filename=$AV(1&(^*%00*))*"
Replace = "filename=1"

In = TRUE
Out = FALSE
Key = "Content-Type: [IE Exploit] Application/Force-Download (in)"
Match = "(*|(^?))&$IHDR(Content-Disposition:*filename=*)"
Replace = "application/force-download"


Test Page http://www.heise.de/ct/browsercheck/readme.txt
Best wishes
Arne
Imici username= Arne

pavilion

  • Newbie
  • *
  • Posts: 1
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
IE exploit filter
« Reply #2 on: February 01, 2002, 11:32:29 AM »
that trick also works with Communicator (no auto-launch though) but when i click
on the file another file is downloaded. With all the security problems IE has I'm not surprised but how can this exploit work in Communicator ? Is it because the server where the link is pointing has been set up to trick the user or just a atg in the html file ?

Although the link posted here was supposed to be a text file. Also Communicator displays text file but with this one, Communicator prompted me to save.

How does that work ?

 
 

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
IE exploit filter
« Reply #3 on: February 01, 2002, 12:30:53 PM »
Hi and welcome.

I am not very good when it comes to this. You will have to ask Mona. You can find her in the email group at yahoo [email protected]



Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

dave1006

  • Full Member
  • ***
  • Posts: 113
    • ICQ Messenger - 92066376
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
IE exploit filter
« Reply #4 on: February 10, 2002, 04:10:24 PM »
Hello,
just browsing this thread and thinking 'jeez, another IE exploit? im so glad im using Opera' - when DOH! - exploit works, to a limited extent, with Opera too (ver6.01). Although, in this case, my browser simply opened the exe file in the window as a .txt file would be displayed, rather than executing it.

Anyways, thanks for the info and posted 'security patch' Arne (and Mona)!

 
dave
dave at smokeajay.co.uk