lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 09 Jun 2004 00:43:29 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: OBJECT Bugs or Features


"James C Slora Jr" <Jim.Slora@...a.com> wrote:

> Two questions about the recent OBJECT tag assault in spam messages:
> 
> 1. Should an email client process an OBJECT tag that has no corresponding
> /OBJECT?
> 2. Should an email client process an OBJECT tag that is not even embedded
> within HTML tags? 

A more pertinent question to ask first is "What moron would ever design 
an Email client that _could_ render 'active content', let alone 
configure it to do so by default?".  This would be closely followed by 
"What morons would elect to use such a product, even if it is the pre-
installed default Email client in the most widely used OS?".

As the answers to these questions have been horribly clear for years, 
we should move one though, but before we do, one final suggestion to 
make XP SP2 _truly_ worthwhile -- it should uninstall IE and OE, then 
randomly select and install other major third-party web browser and 
Email client...

Anyway, to answer your specific questions...

It is generally considered "good practice" (as a result of the age-old 
stupidity of "be lenient in what you accept", which is a purely anti-
quality and anti-standards position if there ever was one) to assume 
that "end of file" represents termination of any paired HTML tags still 
open, etc, etc.  So, although an example such as that you provided is 
not really "correct" (in that it is "incomplete") it would be expected 
that a browser would at least attempt to do something with such code.

The answer to your second question is really an extension of the issue 
just discussed.  The headers of your example Email message quite 
clearly claim the message is multipart/alternative and the first part 
(with the "incomplete" OBJECT tag) is text/html.  Thus, although the 
body of that MIME component is not a properly formed, complete HTML 
document, the MIME Content-Type: headers provide a fairly strong basis 
for the MUA treating that message component as HTML and displaying it 
accordingly.  Thus, under the "we don't give half a knob of goat sh*t 
for quality, predictability or stability" doctrine (aka "be lenient in 
what you accept..."), a MUA treating the contents of such a message 
component as if the missing "necessary" HTML tags and related 
structures were present is "good practice".

<<snip>>
> Many other messages have Object tags that look like this:
> 
> ~object =
> data=3D"&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#119;&#119;&#119;&#46;&#1=
> 19;&#105;&#108;&#100;&#119;&#105;&#110;&#99;&#97;&#115;&#105;&#110;&#111;=
> &#46;&#110;&#101;&#116;&#47;&#112;&#97;&#103;&#101;&#46;&#112;&#104;&#112=
> ;"~
> 
> Note they mix "=" and "=3D" in addition to not closing the OBJECT tag. The
> hostile site URL is often obfuscated through ASCII HTML encoding.

Note that you have failed to decode the quoted-printable encoding and 
once you do, that final comment makes no sense...

The single "=" at the end of the line means a forced line-wrap for 
formatting reasons (i.e. simply remove the "=" char and the 
(immediately) following line-break) and the "=3D" is the necessary QP-
encoding of the straight "=" chars in the original message stream 
(which must be so encoded to avoid possible ambiguity with QP's special 
use of "=" chars).

RFC 1521 etc...

...

Finally, to all those suddenly jumping up and down about this -- where 
have you been the last few months?  All this stuff has been happening 
for months and months.  Search your recent older months of spam for 
messages with Subject: lines of "YOU WON A FREE VACATION!!!" and 
similar (and with slightly different numbers of plings).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854



Powered by blists - more mailing lists