[NEWS] Using data: URLs for Malware Injection (Opera)
From: SecuriTeam (support_at_securiteam.com)
Date: 01/12/05
- Previous message: SecuriTeam: "[NT] Windows ANI File Parsing Buffer Overflow (MS05-002)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 Jan 2005 11:56:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Using data: URLs for Malware Injection (Opera)
------------------------------------------------------------------------
SUMMARY
As described by Darren Bounds in an
<http://www.securiteam.com/securitynews/5LP0C0AEKS.html> earlier posting,
RFC2397 allows to embed data into an HTML formatted document. While Darren
only used this for malicious images, Michael made some further research
which shows that this can also be used to embed an executable file into
the document. As shown by Darren, such embedded data is not detected by
current AV gateways. This could be abused by websites (and probably HTML
email too) for distributing malware.
DETAILS
Vulnerable Systems:
* Opera version 7.5.4
Immune Systems:
* Internet Explorer version 6
* Firefox version 1.0
* Mozilla version 1.5.4
The attack works by using an URL scheme like this:
< a href="data:application/x-msdos-program;base64,[base64 data]">Click
me!</a>
Michael has made an example available which embeds putty.exe. The example
is about 500 kByte HTML and is available on
<http://kju.de/misc/putty.html> http://kju.de/misc/putty.html.
Michael's tests with various windows based webbrowsers had the following
results:
* Internet Explorer 6 - Clicking on the link does nothing
* Mozilla version 1.5.4 - Will try to open the "what should I do with
that" file dialog and then hangs. needs to get killed
* Firefox version 1.0 - Allows saving of the data to harddisk (on Linux
it will also display much rubbish in the save dialog)
* Opera version 7.5.4 - Tells that it will open the file with notepad
(which sounds ok), but will then EXECUTE IT INSTEAD (without further
warning)
ADDITIONAL INFORMATION
The information has been provided by <mailto:kju-fd@fqdn.org> Michael
Holzt.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Windows ANI File Parsing Buffer Overflow (MS05-002)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Cross Application Scripting in Trend Micros Antivirus Software
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts
list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus,
it creates an HTML ... (Securiteam) - [TOOL] kses, PHP Based HTML Filter
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... kses is an HTML/XHTML filter
written in PHP. ... It removes all unwanted HTML ... * Attribute values can be surrounded
with quotes, ... (Securiteam) - [TOOL] HTMLer - An Automated Broken HTML Generator (Mangleme Python Port)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... It will create a plethora of broken
HTML pages in a subdirectory under the ... It allows the crafter of the HTML to control
EAX, ... def randstring: ... (Securiteam) - [UNIX] CuteNews HTML Injection Vulnerability Via Commentaries
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... HTML code can be injected
via the commentaries feature of CuteNews. ... (Securiteam) - [UNIX] Kmail (table/frameset) DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... "KMail is a fully-featured
email client that fits nicely into the K ... Kmail can be crashed due to incorrectly parsing
certain HTML elements. ... (Securiteam)