[NT] Automatically Opening Internet Explorer and Execution of Attachments (WebBrowser)

From: support@securiteam.com
Date: 03/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 23 Mar 2002 17:33:52 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Automatically Opening Internet Explorer and Execution of Attachments
(WebBrowser)
------------------------------------------------------------------------

SUMMARY

This advisory contains two issues, but since they are closely linked
together it was decided to release it as one.

The focus will be on the more generic issue, the ability to open the
Microsoft Internet Explorer application and have it fetch a URL regardless
of the zone in which the user resides or the application in use.

WMV/WMA stands for Windows Media Video/Audio. It is a proprietary format
developed by Microsoft for video/audio streaming (also available for
offline uses).

WMV/WMA generally plays under Windows Media Player and has the ability to
include a form of script that lets developers control various aspects of
the movie.

DETAILS

Affected applications:
Any application that hosts the WebBrowser control is affected since this
exploit does not require Active Scripting or ActiveX. Some of these
applications are:
 * Qualcomm Eudora
 * Microsoft Outlook
 * Microsoft Outlook Express

Vulnerable systems:
 * Microsoft Internet Explorer 5/5.5/6
 * Qualcomm Eudora 5.1, "Sponsored mode"
 * Microsoft Outlook Express 5/6
 * Microsoft Outlook 2000

One of the available script features is the URL command, which enables the
player to open a URL at a specific time in the media's timeline.

This means that even if it is played in the "Restricted zone", it can
easily open a URL in the "Internet zone" or any other zones in which a URL
is known to exist and of which the attacker has control over.

A few methods are available for playing WMV/WMA on a web page:
 * Windows Media Player, which requires use of the element - isn't usable
in the "Restricted zone".
 * The <embed> element, which is sometimes filtered out (see Eudora).
 * The dynsrc property of the <img> element.
 * And more...

Exploit:
A good example of where this issue is dangerous is when an attacker knows
the path to attached files.

Eudora is a popular email client; by default it uses the WebBrowser
control for viewing email messages. However, it attempts to secure itself
by filtering out elements such as <iframe>, <object>, <embed>, etc.

Eudora stores its attachments (by default) in "C:/Program
Files/Qualcomm/Eudora/Attach", an attacker is likely to guess other paths
to Eudora, such as different drive letters or similar minor changes.

When an email is sent to Eudora containing the following HTML content:
<style>
a { display:none; }
</style>
<body>
Hello, Eudora.
<xml:namespace prefix="t"/>
<t:video style="display:none;behavior:url(#default#time);"
t:src="file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv"/>
</body>

And the following attachments:
 * gmlaunch.wmv (~4 KB)
 * gmbind.html (~1 KB)
 * malicious.exe

The following chain of events occurs:
 * The victim receives the email, Eudora automatically copies all
attachments to "C:/Program Files/Qualcomm/Eudora/Attach" immediately.
 * The victim clicks on the email in order to delete it or view it in the
preview pane.
 * The HTML in the email renders, the style *** removes any sign of the
attached files (Eudora shows them as <a> elements), the only indication
the victim has to the fact there are attached files is the little icon
next to the message.
 * The <t:video> element causes the attached "gmlaunch.wmv" to play, the
victim sees no sign of any media playing thanks to the display style
attribute.
 * "gmlaunch.wmv" opens Microsoft Internet Explorer and points it at the
attached "gmbind.html".
 * "gmbind.html" (now in the "My Computer zone") immediately issues a
"blur()" DOM command, increasing the chance of the victim not to notice
it.
 * "gmbind.html" then continues to include an <object> element with its
codebase attribute pointing at the attached "malicious.exe".
 * "malicious.exe" is executed, the attacker now has full control over the
victim's computer.

All this happens in less than 2 seconds, there is hardly anything the user
can do to prevent this chain reaction once the email is viewed.

This exploit is not limited to Eudora in any way and can be utilized in
any application that uses the WebBrowser control (even in the "Restricted
zone") and have a predictable path to attached files.

Confirmed to work with Qualcomm Eudora 5.1, prior versions may be affected
as well.

Note:
It's theoretically possible to do the same with Outlook and Outlook
Express by using the cid: protocol instead of the known path. When the URL
that "gmlaunch.wmv" tries to open is relative (i.e. "some.html" instead of
"file://c:/some.html") it is opened relatively to the folder which
contains "gmlaunch.wmv" - the Temporary Internet Files folder in this
case.

The rest is pretty similar from there on, except that some well-known
trickery is needed in order to put the attached files in the temporary
files folder and that some more scripting is needed on the opened HTML in
order to parse the path and inject it to the element.

However, we did not have time to fully test the above with Outlook.

Solution:
Eudora users: Do not use the WebBrowser control to view messages, go to
Tools -> Options -> Viewing Mail, uncheck "Use Microsoft's viewer". You
could also change the attachments folder to something unique.

Vendors using the WebBrowser control: Under no circumstances use
predictable paths for foreign attachments.

Microsoft was first informed on 17 Mar 2002, they have opened an
investigation regarding this issue.

Qualcomm was informed on the same day, we did not receive a reply.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast