funsec mailing list archives

RE: Ilfak's WMF patch v. Microsoft's solution

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 2 Jan 2006 09:08:44 -0500

Creating a email message with an IFRAME and a CID: .WMF file is easier said
than done. ;-)

Richard 

-----Original Message-----
From: Aviram Jenik [mailto:aviram () beyondsecurity com] 
Sent: Monday, January 02, 2006 8:51 AM
To: funsec () linuxbox org
Cc: Larry Seltzer; 'Richard M. Smith'
Subject: Re: [funsec] Ilfak's WMF patch v. Microsoft's solution

CID is only about the location of the image. AFAIK it was never about image
format.

When you write in an HTML code:

<IMG SRC="http://www.example.com/image.gif";> 

the image is pulled from the remote server. But when you write:
<IMG SRC="CID:image.gif"> 

Outlook/OE know to look for the image called "image.gif" in the attachments
in the current message. When you write an HTML message in outlook and add
images, the CID should be added automatically.

If you want to test this, take a vulnerable WMF and construct an HTML
message that has this image embedded. Then send it to yourself, and report
what happened. I don't have an Outlook anywhere near me or I'll do it
myself.

--
Aviram Jenik
CEO, Beyond Security
(703) 286-7725 x104

http://www.BeyondSecurity.com
http://www.SecuriTeam.com

On Monday, 2 January 2006 15:28, Larry Seltzer wrote:

My refernce for a CID spec is for CID URLs, not the format of the target.
Oops.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] 
On Behalf Of Richard M. Smith
Sent: Monday, January 02, 2006 8:19 AM
To: funsec () linuxbox org
Subject: RE: [funsec] Ilfak's WMF patch v. Microsoft's solution

I wish I knew how to build an email message with IFRAME and the CID:
protocol.  It don't feel conformtable assuming this trick wouldn't work.

BTW, I discovered that there are different types of .WMF files.  
Certain .WMF files are displayed by IE directly and do not fire up the 
Windows Picture/FAX viewer when they are referenced by an IFRAME.

Richard

-----Original Message-----
From: Larry Seltzer [mailto:larry () larryseltzer com]
Sent: Monday, January 02, 2006 7:58 AM
To: 'Richard M. Smith'; funsec () linuxbox org
Subject: RE: [funsec] Ilfak's WMF patch v. Microsoft's solution


You're also presuming that the format and implementations of CID: 
support WMFs. The fact that we haven't seen one so far makes me wonder 
if this is the case.

I think the CID format is described here:
http://www.rfc-editor.org/rfc/rfc2111.txt and there is more useful 
info
here: http://mailformat.dan.info/body/html.html

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] 
On Behalf Of Richard M. Smith
Sent: Monday, January 02, 2006 7:27 AM
To: funsec () linuxbox org
Subject: RE: [funsec] Ilfak's WMF patch v. Microsoft's solution

I believe that it is possible that all versions of Outlook and Outlook 
Express will render an IFRAME in HTML email messages if the IFRAME 
uses the
CID: protocol to reference an attached file.  IFRAMEs will work in 
this situation  regardless of security settings.  I know for example 
that Outlook 2003 never blocks images loaded with the CID: protocol in 
HTML email messages.

If my theory is correct, then it should be possible to build a worm 
that auto-executes simply by reading an HTML email message.  The worm 
also would not require an external Web site to operate.

I asked Microsoft about the IFRAME/CID: issue on Friday.  They haven't 
said yet if this is a problem or not.  I don't have any good way to 
test it myself.

Richard

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Ilfak's WMF patch v. Microsoft's solution, (continued)
- - - Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 01)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 01)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Hank Nussbacher (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Alex Shipp (elist) (Jan 03)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Larry Seltzer (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Aviram Jenik (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
    - RE: Ilfak's WMF patch v. Microsoft's solution Richard M. Smith (Jan 02)
    - Re: Ilfak's WMF patch v. Microsoft's solution Matthew Murphy (Jan 02)
    - potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Gadi Evron (Jan 03)
    - Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution] Matthew Murphy (Jan 03)
- RE: Re[4]: Ilfak's WMF patch Todd Towles (Jan 03)