Sometimes it is nice to see old vulnerabilities come back from the dead.
This time I'm referring to a vulnerability in Internet Explorer that was discovered almost 3 years ago by cyber_flash. The vulnerability allows an attacker to bypass the security download warning dialog, and display a regular save file dialog, by manipulating IE into displaying executable file (a file with .exe extension) as a regular html file.
While this vulnerability was partially patched by Microsoft in IE7, it was still remained unpactched in IE6 SP2.
Few days ago, this vulnerability came back to life when laurent gaffi posted in Bugtraq that it is possible to download and open an executable file in an application associated to a different extension, using a very similar specially crafted URL that was used in cyber_flash's proof-of-concept.
I've been able to use this old vulnerability to automate an attack vector that was found by pdp from GNUCitizen. In his proof-of-concept, pdp exploits a vulnerability by opening a manually downloaded PDF file in Adobe Reader. When I tried to open the PoC file inside IE7 it didn't exploit the vulnerability. This is probably because the Adobe Reader ActiveX control is running in a different way, in terms of security, than the external application. Therefore, I used the old IE vulnerability in order to automatically download and open the PoC PDF file in the external Adobe Reader application. The exploit then executed the Windows calculator.
The following is a video which demonstrates the difference between opening the proof-of-concept PDF file in the browser (embedded) and in the external application.
You can also download this video (better quality) from here.