EUDORA Re: Automatically opening + Executing attachments

["http-equiv () excite com" <http-equiv () malware com>]

"GreyMagic Software" <security () greymagic com> wrote

 
> <style>
> a { display:none; }
> </style>
> <body>
> Hello, Eudora.
> <xml:namespace prefix="t"/>
> <t:video style="display:none;behavior:url(#default#time);"
> t:src="file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv"/>
> </body>
>
> <t:video> is an element available in HTML+TIME, an implementation 
of W3C's
> SMIL by Microsoft (IE5+).
> It does not suffer from the same limitations the <img> element has, 
it can
> invoke any embedded URLs.

To add to the fray, hereunder is a different technique incorporating 
both GreyMagic Software's findings and Richard M Smith's recent 
findings entitled: How Outlook 2002 can still execute JavaScript in 
an HTML email message 
[http://www.securityfocus.com/archive/1/263429]. 

Commence like so:

a) <img src="malware.html">
b) <img src="malware.wma">
c) <img src="malware.exe">

Construct an html mail message and fire it off to the Eudora 
recipient. Default install of Eudora includes: 

'allow executables in HTML content' DISABLED 
'use Microsoft viewer' ENABLED 

along with known path name (on win98) of the embedded folder or 
attach folder. In this scenario we are embedding the files and expect 
them to end up in the embedded folder located here:

C:\Program Files\Qualcomm\Eudora\Embedded

Everything is almost the same as GreyMagic Software's findings except 
as follows:

Mail message is received and opened by the recipient. All three 
embedded files are transferred silently and instantly to the embedded 
folder:

image a) includes the following very simple html code:

<iframe src="malware.wma">
<applet CLASSID='CLSID:11111111-1111' CODEBASE='malware.exe '>

image b) contains our run-of-the-mill 0s media file with script 
command URL flip. This url flip points to malware.html. Note any one 
of a number of media files can contain this.

image c) is our friendly *.exe

All files now transferred to the embedded folder. We need to access 
our malware.html to trigger everything of. How so?

Our old friend the very simple the very simple HTTP-EQUIV meta tag 
known as refresh

<meta http-equiv="refresh"content="5;  url=C:\Program 
Files\Qualcomm\Eudora\Embedded\malware.html"> 

note: with or without 'allow executables in HTML content' the meta 
refresh functions as designed.

What happens is, the mail message is viewed, the meta refresh springs 
open the malware.html file located in the embedded folder. Because we 
have transferred this file through either attachment or embedded it, 
it bypasses Eudora's security of stripping questionable html tags 
[<object...; <iframe..etc], the malware.html is opened in Eudora's 
Microsoft viewer and as Richard M Smith indicates, the malware.wma is 
considered safe and automatically opened by the iframe. This invokes 
Windows Media Player, which in turn reads the 0s script command URL 
flip, which is pointing back to our malware.html, which in turn also 
contains our codebase object that fires the malware.exe.

note: <object directly inside malware.html fails because 'allow 
executables in HTML content' is still disabled, hence the circuitous 
routing via the iframe, opening the media file, url flip back to the 
malware.html in the browser outside of the security zone. 

All because they are all located inside the embedded folder, with 
known location on default installs, which are outside of the IE 
browser security settings. 

IE6 has an option for meta refresh which is off by default. Possibly 
this kill the process [not tested].

In any event this should also be of interest to the manufacturer when 
[if] they fix GreyMagic Software's findings.

Tested on win98, IE6, WMP 7.01, Eudora 5.01 [free version].

notes: to transfer embedded files to the embedded folder:

http://www.securityfocus.com/bid/2490
http://www.securityfocus.com/bid/2796

> -----Original Message-----
> From: GreyMagic Software [mailto:security () greymagic com]
> Sent: Friday, March 22, 2002 14:09
> To: Bugtraq; NTBugtraq
> Subject: Automatically opening IE + Executing attachments
>
>
> GreyMagic Security Advisory GM#002-IE
> =====================================
>
> By GreyMagic Software, Israel.
> 22 Mar 2002.
>
> Available in HTML format at http://security.greymagic.com/adv/gm002-
ie/
> Topic: Automatically opening IE + Executing attachments.
>
> Discovery date: 15 Mar 2002.
>
> Important note:
> ===============
>
> We were not going to release this advisory until 27 Mar 2002 (10 
days after
> contacting Microsoft), but since a similar advisory was made public 
by
> Richard M. Smith we felt that there's no sense in waiting any 
longer.
> Affected applications:
> ======================
>
> Any application that hosts the WebBrowser control is affected since 
this
> exploit does not require Active Scripting or ActiveX. Some of these
> applications are:
>
> * Qualcomm Eudora
> * Microsoft Outlook
> * Microsoft Outlook Express
>
>
> Introduction:
> =============
>
> This advisory contains two issues, but since they are closely linked
> together it was decided to release it as one.
>
> The focus will be on the more generic issue, the ability to open the
> Microsoft Internet Explorer application and have it fetch a URL 
regardless
> of the zone in which the user resides or the application in use.
>
> WMV/WMA stands for Windows Media Video/Audio. It is a proprietary 
format
> developed by Microsoft for video/audio streaming (also available 
for offline
> uses).
>
> WMV/WMA generally plays under Windows Media Player and has the 
ability to
> include a form of script that lets developers control various 
aspects of the
> movie.
>
>
> Discussion:
> ===========
>
> One of the available script features is the URL command, which 
enables the
> player to open a URL at a specific time in the media's timeline.
>
> This means that even if it is played in the "Restricted zone", it 
can easily
> open a URL in the "Internet zone" or any other zones in which a URL 
is known
> to exist and of which the attacker has control over.
>
> A few methods are available for playing WMV/WMA on a web page:
>
> * Windows Media Player, which requires use of the <object> element -
 isn't
> usable in the "Restricted zone".
> * The <embed> element, which is sometimes filtered out (see Eudora).
> * The dynsrc property of the <img> element.
> * And more...
>
>
> Exploit:
> ========
>
> A good example of where this issue is dangerous is when an attacker 
knows
> the path to attached files.
>
> Eudora is a popular email client; by default it uses the WebBrowser 
control
> for viewing email messages. However, it attempts to secure itself by
> filtering out elements such as <iframe>, <object>, <embed>, etc.
>
> Eudora stores its attachments (by default) in "C:/Program
> Files/Qualcomm/Eudora/Attach", an attacker is likely to guess other 
paths to
> Eudora, such as different drive letters or similar minor changes.
>
> When an email is sent to Eudora containing the following HTML 
content:
> <style>
> a, img { display:none; }
> </style>
> Hello, Eudora.
> <img 
dynsrc="file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv">
> And the following attachments:
>
> * gmlaunch.wmv (~4 KB)
> * gmbind.html (~1 KB)
> * malicious.exe
>
> The following chain of events occurs:
>
> * The victim receives the email, Eudora automatically copies all 
attachments
> to "C:/Program Files/Qualcomm/Eudora/Attach" immediately.
>
> * The victim clicks on the email in order to delete it or view it 
in the
> preview pane.
>
> * The HTML in the email renders, the style sheet removes any sign 
of the
> attached files (Eudora shows them as <a> elements), the only 
indication the
> victim has to the fact there are attached files is the little icon 
next to
> the message.
>
> * The <img> element causes the attached "gmlaunch.wmv" to play, the 
victim
> sees no sign of any media playing thanks to the style sheet again.
>
> * "gmlaunch.wmv" opens Microsoft Internet Explorer and points it at 
the
> attached "gmbind.html".
>
> * "gmbind.html" (now in the "My Computer zone") immediately issues a
> "blur()" DOM command, increasing the chance of the victim not to 
notice it.
> * "gmbind.html" then continues to include an <object> element with 
its
> codebase attribute pointing at the attached "malicious.exe".
>
> * "malicious.exe" is executed, the attacker now has full control 
over the
> victim's computer.
>
> All this happens in less than 2 seconds, there is hardly anything 
the user
> can do to prevent this chain reaction once the email is viewed.
>
> This exploit is not limited to Eudora in any way and can be 
utilized in any
> application that uses the WebBrowser control (even in 
the "Restricted zone")
> and has a predictable path to attached files.
>
> Tested and confirmed to work with Qualcomm Eudora 5.1, prior 
versions may be
> affected as well.
>
>
> Note:
>
> It's theoretically possible to do the same with Outlook and Outlook 
Express
> by using the cid: protocol instead of the known path. When the URL 
that
> "gmlaunch.wmv" tries to open is relative (i.e: "some.html" instead 
of
> "file://c:/some.html") it is opened relatively to the folder which 
contains
> "gmlaunch.wmv" - the Temporary Internet Files folder in this case.
>
> The rest is pretty similar from there on, except that some well-
known
> trickery is needed in order to put the attached files in the 
temporary files
> folder and that some more scripting is needed on the opened HTML in 
order to
> parse the path and inject it to the <object> element.
>
> However, we did not have time to fully test the above with Outlook.
>
>
> Solution:
> =========
>
> Eudora users: Do not use the WebBrowser control to view messages, 
go to
> Tools -> Options -> Viewing Mail, uncheck "Use Microsoft's viewer". 
You
> could also change the attachments folder to something unique [1].
>
> Vendors using the WebBrowser control: Under no circumstances use 
predictable
> paths for foreign attachments.
>
> Microsoft was first informed on 17 Mar 2002, they have opened an
> investigation regarding this issue.
> Qualcomm was informed on the same day, we did not receive a reply.
>
> [1] http://eudora.com/techsupport/kb/2020hq.html
>
>
> Tested on:
> ==========
>
> The following tested applications all automatically open Microsoft 
Internet
> Explorer as a result of running WMV/WMA.
>
> * Microsoft Internet Explorer 5/5.5/6.
> * Qualcomm Eudora 5.1, "Sponsored mode".
> * Microsoft Outlook Express 5/6.
> * Microsoft Outlook 2000.
>
>
> Feedback:
> =========
>
> Please mail any questions or comments to security () greymagic com.
>
> - Copyright © 2002 GreyMagic Software.


-- 
http://www.malware.com