Vulnerability Development mailing list archives
UPDATE on possible new "e-mail virus" concept ?
From: zoa_chien () INAME COM (Zoa_Chien)
Date: Fri, 19 May 2000 23:01:37 +0200
Update: Tested OK so far: ------------------------- - saving VALID .com and .batch files without the user being prompted in the temp inet files dir with their original names. - creating executable files with debug. - Not tested yet: (not possible ?) ----------------------- - saving the files in a random directory using "../filename.exe" - New ideas. ------------------ - If changing directories is not possible, could it be possible to send someone an e-mail with a image source : http://www.server.com/virus.com (with that virus.com being a com file that starts with BM) and enclose a .url file as an attachement that points to file:///c:/temp-inet-files/virus.com (Using a link in the HTML code will not work as it will ask prompt you for a download dir) I noticed that .url files will work exactly like .lnk files if made properly. That means that if you double click on them in win98, no warnings will be given, and the file will execute (if its on you local HD). - the remote server with the virus on it, could change its version very frequently to avoid recognition by virus scanners and no virus code will be in the attachement itself. - This way, it could be possible to bypass mail scanners, i don't think they scan image files. this could be different if the extension is .com off course. How do most AV scanners work ? do they check the attachements ? or do they monitor the creation of new files in general ? - I think the new microsoft patch makes sure that .vbs files send to you as an attachement can't be run just by clicking on them, but what if those files already exist on your HD ? And we only point to those files in our attachement ? Will it disallow us to run those files too ? Remember that setting outlook security settings for Internet Zone and Restricted Sites Zone will be bypassed too coz the files are already located on your very own hard disk the moment you preview te e-mail message. - How about using .lnk / .chm files ? - btw: for those that are interested : renaming a .exe file to any of the folowing extensions will still be executed in NT if double clicked upon: .scr .bat .pif .lnk .com .exe .cmd These filetypes can be used to point to other files: .url .lnk .pif Do you know of any other ? Zoa_Chien.
Alternative approach for writing e-mail virusses.?? -------------------------------------------------------------------- Disclaimer: ----------- Not of this got tested, and chances are big that not everything will function. Everything i wrote is purely hypothetical, but i guess some ideas might be usefull to know. (Please e-mail me if you did some testing on this, i don't have the time to test this myself.... (exams)) Background: (Skip this if you don't have the time) ----------------- While looking for a way to bypass the Internet Explorer (I.E.) Security setting that disables all downloads a while ago, i noticed that I.E. automatically downloads image files, (unless you have images disabled) and stores them in the "temporary internet files" folder. I did some testing on how I.E.(IE5, win98) handles those image files and found that it downloads the first few bytes, checks for a valid image file header and if the header is present, it will download the rest of the file. And when the complete file is downloaded it will try to show the image. So, I took a Executable file, and changed the first 2 bytes (MZ) to BM with a hex editor (or edit.com /b) and then inserted this filename (renamed to file.bmp) as image source in a HTML page. When opening this page in I.E., the complete file got downloaded (I.E. assumed this was a .BMP file), however it showed a red cross in I.E. like the ones you get with image not found. If i changed the BM back to MZ and renamed it back to file.exe I was able to run this program, i even did a binary file compare and it was exactly the same as the original one. (so no stripping occured.) (I noticed that in NT4 things are different, since the temporary internet files located in /winnt/profiles/admin/Local settings/ is a special directory type, could someone give me more info on this type of dir ?) I guess similar things will occur in other web browsers. -- Virus concept: (not tested) -------------- Meanwhile, i noticed that the image files for I.E. don't need to have a valid image file extension, anything will work fine. (and IE uses temporary files with the same name as the original files.) So, why not send someone a virus.bat file, as image in a HTML mail. The first 2 bytes in the .bat file should be BM (or any other image file header). We all know that when an error occures in a .bat file all it will do is say: bad command or file name and will continu with the next line, so writing this BM in the beginning won't hurt. Hmmm.. lets see: what can i do with .bat files... pretty much, but i prefer .exe files. Not a problem: with debug.exe i can dump executable files as hex in an ascii file, and back to .exe. So, in the .bat file i will use some ECHO commands >> filehex.txt to create the hex file. Next line in the .bat file should contain the command line parameters for debug to create this .exe file. And the last line should execute this .exe file. Example of how the .bat file should look: -BOF- BMdfjlqskdfjlksjdflksqjdflksjcvlvksjd (this will cause error, but who cares) ECHO 22 EF SD E3 FE AD >> filehex.txt (should append not overwrite) ECHO 1D A6 E6 .... >> filehex.txt ... debug -xxxxx filehex.txt file.exe (i don't remember the correct parameters) file.exe -EOF- Of course, we would like this batch file to get executed automatically. This was not tested, but i think it might be possible to make a custom HTTP server that thinks "/../../../../../../file.bat" (or maybe "c:\file.bat") is valid, and when asked to send this file, it will not try to look in lower dirs to find the file, but simply will upload the file to the client. (I could use some %codes in the filename in the .html to scramble the dir and fool I.E.) That way, we might be able to save the temporary files in other dirs then "the temporary internet files" folder. If we are able to save the filename as c:\autoexec.bat we could let the file execute on the next bootup. Enjoy! final note: maybe it is possible to create valid .com files with a valid image file header. (from good ol' times, i remember it was possible to give a .com file a "PK" as first 2 bytes of the file, thus avoiding getting scanned, just check the ASM meaning of the image file headers.) Zoa_Chien (zoa_chien () iname com) - Vanheuverzwijn Joachim www.securax.org -
Current thread:
- Re: Why not a changeling?, (continued)
- Re: Why not a changeling? Daniel Petzen (May 20)
- Netscape forms using standard windows controls No User (May 21)
- Re: Netscape forms using standard windows controls Derek Reynolds (May 21)
- Re: Netscape forms using standard windows controls Pavel Kankovsky (May 22)
- Re: Netscape forms using standard windows controls Chon-Chon Tang (May 22)
- Re: Why not a changeling? Bluefish (May 21)
- TopLayer layer 7 switch Advisory User nawk (May 20)
- Re: chsh Segfault on FreeBSD 3.3 Pavol Luptak (May 20)
- Re: UPDATE on possible new "e-mail virus" concept ? Jim Paris (May 19)
- Re: UPDATE on possible new "e-mail virus" concept ? Jon Williams (May 20)
- Windows IP Fragment Reassembly Vulnerability Masial (May 20)
- Re: Windows IP Fragment Reassembly Vulnerability Mikael Olsson (May 21)
- Re: Outlook HTML VBS (demo) Michael Hendy (May 21)
- Re: Outlook HTML VBS (demo) Masial (May 22)
- Re: Windows IP Fragment Reassembly Vulnerability Blue Boar (May 21)