[NEWS] Using data: URLs for Malware Injection (Opera)

• Previous message: SecuriTeam: "[NT] Windows ANI File Parsing Buffer Overflow (MS05-002)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 Jan 2005 11:56:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Using data: URLs for Malware Injection (Opera)
------------------------------------------------------------------------

SUMMARY

As described by Darren Bounds in an
<http://www.securiteam.com/securitynews/5LP0C0AEKS.html> earlier posting,
RFC2397 allows to embed data into an HTML formatted document. While Darren
only used this for malicious images, Michael made some further research
which shows that this can also be used to embed an executable file into
the document. As shown by Darren, such embedded data is not detected by
current AV gateways. This could be abused by websites (and probably HTML
email too) for distributing malware.

DETAILS

Vulnerable Systems:
 * Opera version 7.5.4

Immune Systems:
 * Internet Explorer version 6
 * Firefox version 1.0
 * Mozilla version 1.5.4

The attack works by using an URL scheme like this:
   < a href="data:application/x-msdos-program;base64,[base64 data]">Click
me!</a>

Michael has made an example available which embeds putty.exe. The example
is about 500 kByte HTML and is available on
<http://kju.de/misc/putty.html> http://kju.de/misc/putty.html.

Michael's tests with various windows based webbrowsers had the following
results:
 * Internet Explorer 6 - Clicking on the link does nothing
 * Mozilla version 1.5.4 - Will try to open the "what should I do with
that" file dialog and then hangs. needs to get killed
 * Firefox version 1.0 - Allows saving of the data to harddisk (on Linux
it will also display much rubbish in the save dialog)
 * Opera version 7.5.4 - Tells that it will open the file with notepad
(which sounds ok), but will then EXECUTE IT INSTEAD (without further
warning)

ADDITIONAL INFORMATION

The information has been provided by <mailto:kju-fd@fqdn.org> Michael
Holzt.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Windows ANI File Parsing Buffer Overflow (MS05-002)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]