Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

WHERE'S THE CA$H: Internet Explorer 6.00. Outlook Express 6.00
From: full-disclosure () lists netsys com (http-equiv () excite com)
Date: Sat, 27 Jul 2002 19:27:48 -0000

Saturday, July 27, 2002

Trivial lead-up to yet another silent delivery and installation of an 
executable on the target computer using Outlook Express 6. This can 
be achieved combining several past possibilities, specifically the 
following:

http://www.securityfocus.com/bid/1033
http://www.securityfocus.com/bid/2456

and here:

http://www.securityfocus.com/bid/4387 

And:

XML. In order to achieve the required results as outlined in the 
above, we must determine the location of the Temporary Internet File 
[TIF] folders.  This can only be achieved if we can physically open 
up our file from within and read its location. Technically that can 
only be achieved if we have a security dialogue prompt asking us for 
permission. For security reasons all embedded and attached files are 
transferred to the TIF upon opening the mail message. If we elect to 
open the file through acceptance of the security warning dialogue, it 
is opened from within the TIF by whatever program is associated with 
that file.

Okay:

Okay. XML. XML files are associated with Internet Explorer. It 
utilises an XML parser to parse the file for display in Internet 
Explorer. These files are peculiar little files that require an 
additional file called a style sheet [*.xsl] in order to process 
scripting and html. To do that, the file must be 'linked' to the XML 
file like so:

 <?xml version="1.0"?> 
<?xml-stylesheet type="text/xsl" href="malware.xsl" ?> 

where malware.xsl can contain our scripting and html.

And:

Well, for security purposes linking to a remote *.xsl fle is 
denied: "permission denied", so instead we force our scripting and 
html  into the XML file and into the XML parser directly:

<?xml version="1.0" ?>
<?xml-stylesheet type="text/css" 
href="http://www.malware.com/malware.css"; ?>
<malware>

<h4 style="position: absolute;top:39;left:expression(alert
(document.location));font-family:arial;font-size:12pt;BACKGROUND-
IMAGE:url('http://www.malware.com/youlickit.gif&apos;);background-
repeat:no-repeat;background-position: 100 30;z-index:-
100;height:200pt;width:400pt;font-family:Verdana;color:red">sure it 
can, malware says so</h4>
</malware>

What this does is generate an error in the XML parser along with our 
html and scripting, and as a consequence, having the file opened up 
from within the TIF by Internet Explorer, we are once again able to 
determine our TIF location. Couple that with the aforementioned past 
possibilities and we are once again in business.

Working Example:

[nothing but text]

http://www.malware.com/cannotindeed.zip


[screen shot: http://www.malware.com/x-ma.png 17KB]

Important Notes:

1.On several test machines, recollection is foggy as to default 
status of *.xml in mail. Possibility is that 'confirm open after 
download' is not default.
2. On several test occasions, scripting was fired in mail and 
remotely on the web site despite 'active scripting off' both, however 
not reproducible consistentantly and may be related to processor 
speed and xml parser delay in parsing combination.
3. Test series of win98 machines, Internet Explorer 6.0.2600 and 
Outlook Express 6.0.2600 bandages and all
4. None.

End Call

-- 
http://www.malware.com











  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]