[NEWS] Using data: URLs for Malware Injection (Opera)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/12/05

  • Next message: SecuriTeam: "[NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)"
    To: list@securiteam.com
    Date: 12 Jan 2005 11:56:33 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Using data: URLs for Malware Injection (Opera)
    ------------------------------------------------------------------------

    SUMMARY

    As described by Darren Bounds in an
    <http://www.securiteam.com/securitynews/5LP0C0AEKS.html> earlier posting,
    RFC2397 allows to embed data into an HTML formatted document. While Darren
    only used this for malicious images, Michael made some further research
    which shows that this can also be used to embed an executable file into
    the document. As shown by Darren, such embedded data is not detected by
    current AV gateways. This could be abused by websites (and probably HTML
    email too) for distributing malware.

    DETAILS

    Vulnerable Systems:
     * Opera version 7.5.4

    Immune Systems:
     * Internet Explorer version 6
     * Firefox version 1.0
     * Mozilla version 1.5.4

    The attack works by using an URL scheme like this:
       < a href="data:application/x-msdos-program;base64,[base64 data]">Click
    me!</a>

    Michael has made an example available which embeds putty.exe. The example
    is about 500 kByte HTML and is available on
    <http://kju.de/misc/putty.html> http://kju.de/misc/putty.html.

    Michael's tests with various windows based webbrowsers had the following
    results:
     * Internet Explorer 6 - Clicking on the link does nothing
     * Mozilla version 1.5.4 - Will try to open the "what should I do with
    that" file dialog and then hangs. needs to get killed
     * Firefox version 1.0 - Allows saving of the data to harddisk (on Linux
    it will also display much rubbish in the save dialog)
     * Opera version 7.5.4 - Tells that it will open the file with notepad
    (which sounds ok), but will then EXECUTE IT INSTEAD (without further
    warning)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kju-fd@fqdn.org> Michael
    Holzt.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)"

    Relevant Pages

    • [NT] Cross Application Scripting in Trend Micros Antivirus Software
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus, it creates an HTML ...
      (Securiteam)
    • [TOOL] kses, PHP Based HTML Filter
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... kses is an HTML/XHTML filter written in PHP. ... It removes all unwanted HTML ... * Attribute values can be surrounded with quotes, ...
      (Securiteam)
    • [TOOL] HTMLer - An Automated Broken HTML Generator (Mangleme Python Port)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It will create a plethora of broken HTML pages in a subdirectory under the ... It allows the crafter of the HTML to control EAX, ... def randstring: ...
      (Securiteam)
    • [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML ... By understanding how ASP .NET malicious request filtering functions, ... injection attacks against an ASP .NET application setup in a test ...
      (Securiteam)
    • [UNIX] CuteNews HTML Injection Vulnerability Via Commentaries
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HTML code can be injected via the commentaries feature of CuteNews. ...
      (Securiteam)