HTTP: Executable Binary Returned for Image Requested
This signature detects attempts to download an executable binary file disguised as an image. Attackers can disguise a malicious program (executable binary file) as an image on a Web page. When a user downloads the image to the local Web cache using a Web browser, the image does not display (because it is not a valid image file). Attackers can then exploit additional vulnerabilities to trick the user into running the malicious file from the Web cache.
Extended Description
Mozilla Firefox is reported prone to a security vulnerability that could allow a malicious website to bypass drag-and-drop functionality security policies. A user can exploit this vulnerability with an image that renders correctly in the Firefox browser, but is saved with a '.bat' file extension when dragged and dropped onto the local filesystem. Since the batch file interpreter on Microsoft Windows is particularly lenient when it comes to syntax, batch commands appended to the image file will be executed if the image that was dragged and dropped is invoked. Update: Netscape 7.2 is reported vulnerable to this issue as well. Other versions may also be affected.
Affected Products
Mozilla firefox
References
BugTraq: 12468
CVE: CVE-2005-0230
URL: http://isc.sans.org/presentations/banking_malware.pdf http://www.us-cert.gov/cas/bulletins/SB05-145.html
Short Name
HTTP:STC:IMG:EXE-FOR-IMAGE
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Binary CVE-2005-0230 Executable Image Requested Returned bid:12468 for
Release Date
07/01/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Hp
Mozilla
Suse
Netscape
Gentoo
CVSS Score
5.1