lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F22493275DA6AF41937802596110548D0FF380@reset4.felines.org>
From: libove at felines.org (Jay Libove)
Subject: Xmas virus on the cards ?

This seems to take advantage of an IE 6.0 (prior to Windows XP SP2)
"feature"...

http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/monik
er/overview/appendix_a.asp

In short, when IE is NOT given any other hints as to the type of content of
a particular link - that is, the link does not come from <A IMG...> or an
HTML email message with MIME type information in it, but simply is pointed
right at http://foo.com/I_am_not_really_an_image.JPG - IE will evaluate the
header bytes of the object, a la the UNIX "file" command, and if it is one
of I think 28 formats that IE can puzzle out, IE will "helpfully" launch it
with the "correct" handler application.

This is clearly taking "serve pedantically, accept openly" waaaay too far.

Actually, even Microsoft realizes this. Our named MS support rep told me
that XP SP2 will address this. I hope he means that it will totally remove
this Bad Idea(TM) from IE, but only time will tell that.

Simple example, put up a copy of something_innocuous.exe and label it
something_innocuous.jpg and then point your web browse straight at
http://the.host/something_innocuous.jpg.  It won't appear as a broken JPG
image - it will ask you if you want to open or save the executable...

-Jay Libove, CISSP

-----Original Message-----
From: security squirrel [mailto:secsquirrel@...os.com] 
Sent: Thursday, December 18, 2003 7:59 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Xmas virus on the cards ?


Hi all - 

I noticed this article at http://www.vnunet.com/News/1151553 and it looks
alarming - however did not find any more details. 

If I understand well an HTML file is renamed to JPG and attached to an
email. However I did not manage to reproduce this. 

This is my summary of the article: 

1. xmas card emails to LEAD to innocent images which are not images but have
viruses

2. Mail Filtering systems should handle images just like HTML files +
educate

3. ISS reports that this was on a hacker mailing list 

4. techniques to bypass firewalls by MISLABELLING html files as JPGs

5. Steven Darrall is a senior consultant at ISS X-Force Security Assessment
Services

6. The problem is caused by Microsoft's Internet Explorer (IE) web browser
automatically opening files labelled with .jpg or .gif extensions.

7. Hackers have posted a proof-of-concept file in which the content was a
script that caused the browser to download and install a virus according to
Darrall

8. The site serving the virus has since been shut down


Is the image and attachment or is it simply a link to a .jpg file on an HTTP
server? Did anyone manage to reproduce this or can point to the original
post on the "hacker mailing list" which describes this?

- Sec-Squirrel :)




____________________________________________________________
Free Poetry Contest. Win $10,000. Submit your poem @ Poetry.com!
http://ad.doubleclick.net/clk;6750922;3807821;l?http://www.poetry.com/contes
t/contest.asp?Suite=A59101

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ