Bugtraq mailing list archives
Re: HTML.dropper
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 19 Jan 2001 13:15:25 +1300
Internet Explorer 5.5 and accompanying mail and news client afford us the unique ability to dictate which icons and file extensions we require. Specifically, we are able to manufacture an email message to appear as one thing when in fact it is not:
I did not have an IE/OE 5.5 install handy to test, so... Quick testing with IE/OE 5.0 suggests you need a 1 char longer Subject: for this to work on that version (OE Help/About reports 5.00.2314.1300). (I believe standard 5.0, no patches or SPs.) Quick testing with Outlook 2000 suggests you need a 3 char shorter Subject: for this to work on that version (Outlook Help/About reports 9.0.0.2711). Rather oddly, Outlook 2000 sees such messages as having two attachments -- with the right Subject: length both of these "attachments" work as under OE. (This is standard Office 2000 release -- no SPs or patches.) Quick testing with Outlook 98 suggests you need a 3 char shorter Subject: for this to work on that version (Outlook Help/About reports 8.5.5104.5). Like Outlook 2000, Outlook 98 sees such messages as having two attachments -- with the right Subject: length both of these "attachments" work as under OE. If the Subject: string is a few chars longer (I tried 1 and 3) than that required for the exploit to work, Outlook 98 causes an IPF in OUTLMIME.DLL during download of the message from a server (i.e. before you have chance to delete the message, and, in fact, before Outlook has deleted the message from the server, so this becomes something like that earlier invalid MIME header DoS. (This is standard Office 98 release -- no SPs or patches -- so the DoS may be fixed by any patches released to deal with that earlier bug.) This exploit seems to be based on some form of buffer overflow. With some of the mailers above, when the Subject: line is four chars too short, if you try to save the "attachment" you get a filename of ".hta.gif", if three chars too short, ".hta.gi" and so on.
This will create an email message with no reference to attachments in the headers.This can be particularly troublesome to content filtering gateways and/or security applications that strip attachments through header information that is content disposition: attachment; content-type: application/malware; filename: iloveyou.vbs
Since JS/Kak's ascendency began a year ago, any Email scanning system that does not process message bodies has been a dead-duck. In a perfect world, that means your point would be moot, but in this world... Regards, Nick FitzGerald
Current thread:
- HTML.dropper http-equiv () excite com (Jan 17)
- Re: HTML.dropper Nick FitzGerald (Jan 18)
- <Possible follow-ups>
- Re: HTML.dropper Shane Hird (Jan 19)