Overview
Microsoft Internet Explorer contains a vulnerability in the way that it presents a Save As dialog. By invoking the SaveAs command with execCommand, an attacker could display a dialog that could trick a user into saving arbitrary content.
Description
Microsoft Internet Explorer (IE) supports a proprietary DHTML command called SaveAs, which saves the current document to a file. SaveAs is invoked by the execCommand method and can save any data that is displayed within the browser to a file. By setting the value of the appropriate SaveAs paramater, the full path and filename (including extension) can be specified. Normally, the SaveAs command is used to save HTML documents. However, any file that can be displayed in a browser window can be saved to a file by the SaveAs command. Certain combinations of file extension and/or server-provided MIME type will cause IE to display binary data within the browser window. In such cases, SaveAs can be used to save an executable file to the local filesystem. The data to be saved could be contained within a hidden FRAME or IFRAME element.
When downloading a file with Windows XP SP2, the user is normally presented with a dialog titled "File Download - Security Warning." When the SaveAs command is used to save a file, this security dialog is bypassed. In addition, Windows XP SP2 normally stores the zone information about downloaded files in an NTFS Alternate Data Stream. This is known as a Persistent Zone Identifier. Files saved with the SaveAs command do not contain this zone information. This means that the user will not be presented with the security warning dialog when an application saved with the SaveAs command is executed. |
Impact
An attacker could convince a user to save an arbitrary file to a specific location on the local filesystem. This file could appear to be an HTML document, when it actually is an executable file. |
Solution
Disable Active scripting |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
- http://secunia.com/advisories/13203/
- http://xforce.iss.net/xforce/xfdb/18181
- http://www.securityfocus.com/bid/11686
- http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php
- http://www.k-otik.com/exploits/20041119.IESP2disclosure.php
- http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/execcommand.asp
- http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/saveas.asp
Acknowledgements
This vulnerability was reported by cyber flash.
This document was written by Will Dormann.
Other Information
CVE IDs: | None |
Severity Metric: | 1.69 |
Date Public: | 2004-11-17 |
Date First Published: | 2004-12-17 |
Date Last Updated: | 2004-12-17 20:21 UTC |
Document Revision: | 15 |