[Esa-l] HTML.dropper (fwd)

John D. Hardin jhardin at wolfenet.com
Thu Jan 18 00:09:06 PST 2001


How in the world could MS possibly have written the mail program such
that it would interpret a long subjcet as an attachment name? BO,
anyone?

So what do we do? Arbitrarily limit all headers to 256 characters?

Sigh.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.
                                  -- Charles Murray
-----------------------------------------------------------------------
   17 days until she returns

---------- Forwarded message ----------
Date: Wed, 17 Jan 2001 09:09:14 -0800
From: "http-equiv at excite.com" <http-equiv at excite.com>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: HTML.dropper

Internet Explorer 5.5 and accompanying mail and news client afford us the
unique ability to dictate which icons and file extensions we require.
Specifically, we are able to manufacture an email message to appear as one
thing when in fact it is not:

1. What?

By carefully calculating a certain length of characters in the subject field
of an email message, Outlook Express 5.5 for whatever reason creates an
attachment incorporating the text in the body of the message.

2. And

We have in fact not attached anything, yet there is a fully functional
attachment. Furthermore we can dictate which file association and applicable
icon we require in order to execute our file. We can create it to appear as
an image file, sound file, html file etc. etc.

3. What does this mean:

MIME-Version: 1.0
To: http-equiv at excite.com
Subject:
.hta
Content-Type: image/gif; charset=us-ascii
Content-Transfer-Encoding: 7bit

This will create an email message with no reference to attachments in the
headers.This can be particularly troublesome to content filtering gateways
and/or security applications that strip attachments through header
information that is content disposition: attachment; content-type:
application/malware; filename: iloveyou.vbs

What the above does is create an attachment, which in this case is an *.hta
file, but by manipulating the content-type, it is given an image file icon.
We then include in the body of our email message the very simple code to
execute whatever we wish, which is automatically incorporated into the
manufactured attachment.

4. Working example below.

Note: Right-click and save to disk.To be opened in the mail client. Harmless
WSH code to execute telnet.exe on the local machine.

http://www.malware.com/dropper.eml


5. The possibilities are endless. Any text based executable will suffice. It
is also trivial to introduce outside code into the temporary internet
folder, where the *.hta is opened.  We can draw an executable into the TIF
via the image tag (though it numbers), and also by the bgsound tag (which is
not numbered).

The main problem lies in the fact that we can dictate the icon which has
always been a goal of VX community to dupe recipients. Furthermore the fact
that there are not legitimate header informations for content filtering and
security application screening of attachments etc. is equally problematic.

Tested on IE5.5. and OE5.5. win98, fully patched and updated with all
so-called service packs.

Notes:

1. There is still the security warning with opening the file. However the
icon representing the content type should override, most if not all's
concern.

2. The actual file extension (*.hta in this case) seems to have to appear in
the security warning dialogue box, you can see it at the very end to
execute. If the subject length is too long, it creates an odd *.tx file
which calls up 'what do you want to open this with [something to this
effect]' system requirement.

3. This appears to be somewhat similar to something examined several months
ago:

http://www.malware.com/yoko.html

===
Irrelevant Notes:

a. We don't mind multi-million dollar security companies cutting and pasting
our working examples into test sites to promote their products, you can at
least acknowledge who's creation it is.

b. We received numerous unsolicited offerings to acquire our domain, ranging
from ridiculous quantums of currency to bizarre JV proposals. We will
examine for the next several months proposals under both circumstances and
should anyone have genuine interest, contact bug at malware.com, all
communications will be held in the strictest of confidence. Time-wasters
will be shown the door however.

end call
===

---
http://www.malware.com





|






_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/




More information about the esd-l mailing list