COMMAND
Outlook
SYSTEMS AFFECTED
Outlook 5.5
PROBLEM
'http-equiv' found following. Internet Explorer 5.5 and
accompanying mail and news client afford us the unique ability to
dictate which icons and file extensions we require. Specifically,
we are able to manufacture an email message to appear as one thing
when in fact it is not.
What? By carefully calculating a certain length of characters in
the subject field of an email message, Outlook Express 5.5 for
whatever reason creates an attachment incorporating the text in
the body of the message.
And? We have in fact not attached anything, yet there is a fully
functional attachment. Furthermore we can dictate which file
association and applicable icon we require in order to execute our
file. We can create it to appear as an image file, sound file,
html file etc. etc.
What does this mean:
MIME-Version: 1.0
To: http-equiv@excite.com
Subject:
.hta
Content-Type: image/gif; charset=us-ascii
Content-Transfer-Encoding: 7bit
This will create an email message with no reference to attachments
in the headers. This can be particularly troublesome to content
filtering gateways and/or security applications that strip
attachments through header information that is content
disposition: attachment; content-type: application/malware;
filename: iloveyou.vbs
What the above does is create an attachment, which in this case
is an *.hta file, but by manipulating the content-type, it is
given an image file icon. We then include in the body of our
email message the very simple code to execute whatever we wish,
which is automatically incorporated into the manufactured
attachment.
Working example follows. Note: Right-click and save to disk. To
be opened in the mail client. Harmless WSH code to execute
telnet.exe on the local machine:
http://www.malware.com/dropper.eml
The possibilities are endless. Any text based executable will
suffice. It is also trivial to introduce outside code into the
temporary internet folder, where the *.hta is opened. We can draw
an executable into the TIF via the image tag (though it numbers),
and also by the bgsound tag (which is not numbered).
The main problem lies in the fact that we can dictate the icon
which has always been a goal of VX community to dupe recipients.
Furthermore the fact that there are not legitimate header
informations for content filtering and security application
screening of attachments etc. is equally problematic.
This has been tested on IE5.5 and OE5.5 win98, fully patched and
updated with all so-called service packs.
Notes:
1. There is still the security warning with opening the file.
However the icon representing the content type should override,
most if not all's concern.
2. The actual file extension (*.hta in this case) seems to have to
appear in the security warning dialogue box, you can see it at
the very end to execute. If the subject length is too long, it
creates an odd *.tx file which calls up 'what do you want to
open this with [something to this effect]' system requirement.
3. This appears to be somewhat similar to something examined
several months ago:
http://www.malware.com/yoko.html
Quick testing with IE/OE 5.0 suggests you need a 1 char longer
Subject: for this to work on that version (OE Help/About reports
5.00.2314.1300).
Quick testing with Outlook 2000 suggests you need a 3 char shorter
Subject: for this to work on that version (Outlook Help/About
reports 9.0.0.2711). Rather oddly, Outlook 2000 sees such
messages as having two attachments -- with the right Subject:
length both of these "attachments" work as under OE. (This is
standard Office 2000 release -- no SPs or patches.)
Quick testing with Outlook 98 suggests you need a 3 char shorter
Subject: for this to work on that version (Outlook Help/About
reports 8.5.5104.5). Like Outlook 2000, Outlook 98 sees such
messages as having two attachments -- with the right Subject:
length both of these "attachments" work as under OE. If the
Subject: string is a few chars longer (I tried 1 and 3) than
that required for the exploit to work, Outlook 98 causes an IPF
in OUTLMIME.DLL during download of the message from a server
(i.e. before you have chance to delete the message, and, in
fact, before Outlook has deleted the message from the server, so
this becomes something like that earlier invalid MIME header DoS.
(This is standard Office 98 release -- no SPs or patches -- so
the DoS may be fixed by any patches released to deal with that
earlier bug.)
This exploit seems to be based on some form of buffer overflow.
With some of the mailers above, when the Subject: line is four
chars too short, if you try to save the "attachment" you get a
filename of ".hta.gif", if three chars too short, ".hta.gi" and
so on.
SOLUTION
Nothing yet.