test for browser vulnerability

From: oncemyway (oncemyway@computers-mn.com)
Date: 09/18/01


From: "oncemyway" <oncemyway@computers-mn.com>
To: <incidents@securityfocus.com>, <bugtraq@securityfocus.com>
Subject: test for browser vulnerability
Date: Tue, 18 Sep 2001 15:17:38 -0500
Message-ID: <000101c1407e$f6cd6f40$be2b87a8@I23T78R1>

Hello-

I became concerned with this after I read someone had actually executed the
code by visiting a web site. (my servers are patched, so I'm not worried
about that)

I have duplicated the readme.eml message, only using notepad.exe instead.

If I use an actual .wav file, readme.eml is opened from the web page and the
wav file opens and plays in media player. If I use notepad.exe
(Content-Type: audio/x-wav), I am prompted as to whether I would like to
download or not. If I select run from current location, it runs notepad.
This is the behavior I would like, so no malicious code runs without me
knowing. However, I am using Media Player 6.4, so I don't know if it makes a
difference.

To create your own readme.eml to test if you are susceptible, follow these
steps:

1. Create a dummy message in OE. You don't have to address it to anyone.
2. Attache notepad.exe.
3. Save as readme.eml
4. Edit the readme.eml with notepad. Find the html body and replace with:

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>

5. Find the notepad.exe attachment section. Change Content-Type to
audio/x-wav
6. (necessary?) Remove Content-Disposition:
attachment;filename="NOTEPAD.EXE" header.
7. Add the following header:

Content-ID: <EA4DMGBP9p>

This is apparently to link the iframe <src> tag.

8. Save the file.
9. Create a web page that includes the code:

<script language="JavaScript">
window.open("readme.eml", null, "resizable=yes,top=0,left=0")
</script>

make sure readme.eml is in the same directory.
10. Open the web page as see what happens. Like I said, I was prompted. I
hope you are too because this would be very serious if it could be spread
*that* easy.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com