SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#743974

Microsoft Internet Explorer execCommand() method SaveAs command uses misleading "Save HTML Document" dialog

Overview

Microsoft Internet Explorer contains a vulnerability in the way that it presents a Save As dialog. By invoking the SaveAs command with execCommand, an attacker could display a dialog that could trick a user into saving arbitrary content.

I. Description

Microsoft Internet Explorer (IE) supports a proprietary DHTML command called SaveAs, which saves the current document to a file. SaveAs is invoked by the execCommand method and can save any data that is displayed within the browser to a file. By setting the value of the appropriate SaveAs paramater, the full path and filename (including extension) can be specified.

Normally, the SaveAs command is used to save HTML documents. However, any file that can be displayed in a browser window can be saved to a file by the SaveAs command. Certain combinations of file extension and/or server-provided MIME type will cause IE to display binary data within the browser window. In such cases, SaveAs can be used to save an executable file to the local filesystem. The data to be saved could be contained within a hidden FRAME or IFRAME element.

The dialog presented by the SaveAs command has the following characteristics that facilitate an attacker's ability to deceive the user:

  1. The "Save as type" field of the dialog always displays "HTML File (*.htm; *.html)," regardless of the content that it is actually saving.
  2. Although the "Save as type" field indicates that it is saving an HTML file, it does not save a file with a .htm or .html extension.
The default configuration for Windows is to hide the file extension for known file types. With file extensions hidden, a file called "file.html.exe" on the filesystem will appear as "file.html" in the save dialog and also in Windows Explorer.

When downloading a file with Windows XP SP2, the user is normally presented with a dialog titled "File Download - Security Warning." When the SaveAs command is used to save a file, this security dialog is bypassed. In addition, Windows XP SP2 normally stores the zone information about downloaded files in an NTFS Alternate Data Stream. This is known as a Persistent Zone Identifier. Files saved with the SaveAs command do not contain this zone information. This means that the user will not be presented with the security warning dialog when an application saved with the SaveAs command is executed.

II. Impact

An attacker could convince a user to save an arbitrary file to a specific location on the local filesystem. This file could appear to be an HTML document, when it actually is an executable file.

III. Solution

Disable Active scripting
Disabling Active scripting prevents execCommand from running. As a result, the SaveAs command will not execute, thus preventing the spoofed save dialog. Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ. Note that disabling Active scripting will reduce the functionality of many web sites.

Disable "Hide extensions for known file types"

The default configuration for Windows is to hide the extensions for known file types. An attacker can take advantage of this by creating a file with double extensions. For example, "file.html.exe" will appear as "file.html" by default. This can allow executable files to masquerade as less dangerous file types. Configure Windows Explorer to show all file extensions. Displaying the actual file extension will make it easier to understand what type of file is being saved.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable17-Dec-2004

References


http://secunia.com/advisories/13203/
http://xforce.iss.net/xforce/xfdb/18181
http://www.securityfocus.com/bid/11686
http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php
http://www.k-otik.com/exploits/20041119.IESP2disclosure.php
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/execcommand.asp
http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/saveas.asp

Credit

This vulnerability was reported by cyber flash.

This document was written by Will Dormann.

Other Information

Date Public:2004-11-17
Date First Published:2004-12-17
Date Last Updated:2004-12-17
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.69
Document Revision:15

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader