OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: possible new "e-mail virus" concept ? + bypassing IE settings
From: Jaro Sterbik-Lamina (jaroHALLOWEB.AT)
Date: Wed May 17 2000 - 09:16:16 CDT

great idea!
as far as i remember it's also possible to call java scripts or activex from
an image tag within an html page. think this was a problem a while ago for
users of web based e-mail services like microsoft's hotmail. with something
like that, you could do a lot of damage, too.
during the past days/weeks when the iloveyou hit e-mail users around the
world i wondered whether it's possible to call a virus script by embedding
it into an html mail. most mail clients will display an html formatted mail
without asking further questions. embedding a java script into a mail
shouldn't be too difficult...
that's why i like the possibility to turn off java script for mails
seperately to the browser (like it's found in netscape...)
rgds,
jaro

-----Original Message-----
From: Zoa_Chien <zoa_chienINAME.COM>
To: win2ksecadviceLISTSERV.NTSECURITY.NET
<win2ksecadviceLISTSERV.NTSECURITY.NET>
Date: Mittwoch, 17. Mai 2000 15:30
Subject: possible new "e-mail virus" concept ? + bypassing IE settings

>Alternative approach for writing e-mail virusses.??
>--------------------------------------------------------------------
>
>Disclaimer:
>-----------
>
>Not of this got tested, and chances are big that not everything will
function.
>Everything i wrote is purely hypothetical, but i guess some ideas might be
>usefull to know.
>(Please e-mail me if you did some testing on this, i don't have the time to
>test this myself.... (exams))
>
>Background: (Skip this if you don't have the time)
>-----------------
>
>While looking for a way to bypass the Internet Explorer (I.E.) Security
>setting that disables all downloads a while ago, i noticed that I.E.
>automatically downloads image files, (unless you have images disabled)
>and stores them in the "temporary internet files" folder.
>
>I did some testing on how I.E.(IE5, win98) handles those image files and
found
>that it downloads the first few bytes, checks for a valid image file
header
>and if the header is present, it will download the rest of the file.
>And when the complete file is downloaded it will try to show the image.
>
>So, I took a Executable file, and changed the first 2 bytes
>(MZ) to BM with a hex editor (or edit.com /b) and then inserted this
filename
>(renamed to file.bmp) as image source in a HTML page.
>
>When opening this page in I.E., the complete file got downloaded (I.E.
assumed
>this was a .BMP file), however it showed a red cross in I.E. like the ones
>you get with image not found.
>If i changed the BM back to MZ and renamed it back to file.exe I was able
to
>run this program, i even did a binary file compare and it was exactly the
>same as the original one. (so no stripping occured.)
>
>(I noticed that in NT4 things are different, since the temporary internet
files
>located in /winnt/profiles/admin/Local settings/ is a special directory
type,
>could someone give me more info on this type of dir ?)
>I guess similar things will occur in other web browsers.
>
>--
>
>Virus concept: (not tested)
>--------------
>
>Meanwhile, i noticed that the image files for I.E. don't need to have a
valid
>image file extension, anything will work fine. (and IE uses temporary files
>with
>the same name as the original files.)
>
>So, why not send someone a virus.bat file, as image in a HTML mail. The
first
>2 bytes in the .bat file should be BM (or any other image file header).
>We all know that when an error occures in a .bat file all it will do is
say:
>bad command or file name and will continu with the next line, so writing
this
>BM in the beginning won't hurt.
>
>Hmmm.. lets see: what can i do with .bat files... pretty much, but i prefer
>.exe files.
>Not a problem: with debug.exe i can dump executable files as hex in an
>ascii file, and back to .exe.
>So, in the .bat file i will use some ECHO commands >> filehex.txt to create
>the hex file.
>Next line in the .bat file should contain the command line parameters for
>debug to create this .exe file.
>And the last line should execute this .exe file.
>
>Example of how the .bat file should look:
>
>-BOF-
>BMdfjlqskdfjlksjdflksqjdflksjcvlvksjd (this will cause error, but who
cares)
>ECHO 22 EF SD E3 FE AD >> filehex.txt (should append not overwrite)
>ECHO 1D A6 E6 .... >> filehex.txt
>...
>debug -xxxxx filehex.txt file.exe (i don't remember the correct parameters)
>file.exe
>-EOF-
>
>Of course, we would like this batch file to get executed automatically.
>
>This was not tested, but i think it might be possible to make a custom
>HTTP server that thinks "/../../../../../../file.bat" (or maybe
"c:\file.bat")
>is valid, and when asked to send this file, it will not try to look in
lower
>dirs to find the file, but simply will upload the file to the client.
>
>(I could use some %codes in the filename in the .html to scramble the dir
and
>fool I.E.)
>That way, we might be able to save the temporary files in other dirs then
>"the temporary internet files" folder.
>
>If we are able to save the filename as c:\autoexec.bat we could let the
file
>execute on the next bootup.
>
>Enjoy!
>
>final note: maybe it is possible to create valid .com files with a valid
>image file header.
>(from good ol' times, i remember it was possible to give a .com file a "PK"
>as first 2 bytes beginning of the file, thus avoiding getting scanned, just
>check the ASM meaning of the image file headers)
>
>
>Zoa_Chien (zoa_chieniname.com)
>
>-
>Vanheuverzwijn Joachim
>www.securax.org
>-
>
>_____________________________________________________________________
>** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
>** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
>SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net