Tuesday, July 23, 2002

Trivial silent delivery and installation of an executable on a target
computer. This can be accomplished with the default installation of
the mail client Eudora 5.1.1:

'allow executables in HTML content' DISABLED
'use Microsoft viewer' ENABLED

The manufacturer http://www.eudora.com has done a tremendous job of
shutting down all possibilities of scripting and all other
necessaries to achieve the following result. See:

http://www.securityfocus.com/bid/2490
http://www.securityfocus.com/bid/2796
http://online.securityfocus.com/bid/4343

In the instance of BID4343 under the original discussions of
GreyMagic Software's findings:

url: http://online.securityfocus.com/archive/1/263658

we found at the time, utilising our old friend the very simple HTTP-
EQUIV meta tag known as refresh remained ungoverned by the security
settings of Eudora, that is being fully functional with 'allow
executables in HTML content' disabled. At that time the meta refresh
would open whatever files it was pointed at, inside the Microsoft
Viewer of Eudora [inside the email message itself].

Today we find that while our old friend the very simple HTTP-EQUIV
meta tag known as refresh still remains ungoverned by the security
settings of Eudora, it forces open a new browser window instead.
Furthermore this new window does not appear to accept 'url' protocols
like about: , javascript: etc.

Sounds good.

In addition to these extra ordinary measures, hardened security
warnings are incorporated as well for seemingly innocent files like
*.html:

[screen shot: http://www.malware.com/boopra.png 54KB]

Sounds even better.

File types appear to open with whatever association has been
assigned to them e.g. *.txt will open with notepad, *.gif with
whatever. All through the meta refresh tag:

Problem:

is that the manufacturer left out an important file type to consider:
the *.mhtml file. This is automatically opened by Internet Explorer
via the meta refresh without any warning whatsoever i.e. the same
warning given to *.html.

So What:

So all we have to do is embedded in our mail message [again!] two
files:

i) malware.mhtml which contains our active x control
ii) malware.exe which is our friendly executable

In the mail message we reference our malware.mhtml with the meta
refresh tag and point it to our known location on default install of
Eudora on win98.

So once [again!] someone receives the mail message. Both files
embedded are silently and instantly transferred to the embedded
folder. The meta refresh then springs open the *.mhtml file inside
the embedded folder without warning, in our conveniently opened new
browser window courtesy of the meta refresh and bang ! it runs the
*.exe via the active x control.

Working Example:

Harmless *.exe. incorporated. Tested on win98, with IE6.00 (all of
its patches and so-called service packs), default Eudora 5.1.1 with:

'use Microsoft viewer' ENABLED
'allow executables in HTML content' DISABLED.

The following is in plaintext. We are unable to figure out how to
import a single message into Eudora's inbox. Perhaps some bright
spark knows. Otherwise, incorporate the text sample into a telnet
session or other and fire off to your Eudora inbox:

http://www.malware.com/boodora.txt

Notes: disable 'use Microsoft viewer'

--
http://www.malware.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]