lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: kju-fd at fqdn.org (Michael Holzt)
Subject: Using data: URLs for malware injection


Using data: URL for malware injection

2005/01/11, Michael Holzt, kju -at- fqdn.org
based on work done by Darren Bounds (see text)



As described by Darren Bounds in an earlier posting [1], RFC2397 allows to
embed data into an HTML formatted document. While Darren only used this for
malicious images, i made some further research which shows that this can
also be used to embed an executable file into the document. As shown by
Darren, such embedded data is not detected by current AV gateways. This
could be abused by websites (and probably HTML email too) for distributing 
malware.

The attack works by using an URL scheme like this:

   <a href="data:application/x-msdos-program;base64,
     [base64 data]">Click me!</a>

I've made an example available which embeds putty.exe. The example is about
500 kByte HTML and is available on http://kju.de/misc/putty.html. Please do
not spread this URL outside of this list because of the traffic. Feel free
to copy the example to your own webspace.

My tests with various windows based webbrowsers had the following results:

  - IE6			clicking on the link does nothing

  - Mozilla 1.5.4	will try to open the "what should i do with that" 
			file dialog and then hangs. needs to get killed.

  - Firefox 1.0		allows saving of the data to harddisk
			(on linux it will also display much rubbish
			in the save dialog)

  - Opera 7.5.4		tells that it will open the file with notepad
			(which sounds ok), but will then EXECUTE IT
			INSTEAD (without further warning).

The behaviour of Opera 7.5.4 seems like a major security bug to me. Can
someone else confirm this behaviour?


References:

[1] Posting by Darren Bounds on 2005/01/10,
    <F873C22A-633A-11D9-97DC-000A95820F5E@...rusense.com> 
    http://lists.netsys.com/pipermail/full-disclosure/2005-January/030724.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ