Re: Possible Payload inside PDF or HTML files

[Danux <danuxx () gmail com>]

Yeah,

You are really right, its a matter of pointing in the src attribute of
a image to the tracking server,
but only one question as erick () xentek net says, the tracking server
needs to send back an image after making the tracking activities, so i
would like to know in a cgi how to prepare a header to send back an
image?

lets suppose a code: <img src=http://mysite.com/me.cgi?iduser=1

Then in my cgi i need to put something like...

insert id into table
....
more activities...

Then send back the image which was the original request ....

HERE IS MY DOUBT....

set content-type image/gif
what else???????????????


Thanks in advance!!!!!!!!!!!!

On 6/14/07, Alcides <alcides.hercules () gmail com> wrote:
> Yes, exactly.
> Moreover there is a variety of tools as well as services that offer
> tracing back the sent email with the help of an 'invisible'/ 'small'/
> 'invisibly small' image embedded in the HTML or PDF or many Opes Source
> and commercial document formats like  DOC/ ODT/ SXW/ SDW.
>
>  >> Let me tell you that the HTML file looks like a normal one without
>  >> javascript or obfuscation or another malicious payload, only links
>  >> and images,
>
> You can verify this with at least 2 approaches.
> 1-->by simply viewing the source of the html files, look for something
> similar to an image pointing to some external link, where -I suppose
> your requests for displaying the images, are logged. And
> 2-->close everything else except your email and check for outbound
> connections made from your computer to website/s other than the one you
> are checking email from. This can be done by simple 'netstat' command
> with relevant switch/es. You can do it with other utilities that show
> you details about all active inbound and out bound connections from your PC.
> Hope this will help you analyze the situation better.
>
> All the best.
>
>
>
> http://emailtrackerpro.visualware.com/
> security.xentek wrote:
> > There are some rudimentary tracking that can be done in the HTML files,
> > by checking the logs on their server for included images or other
> > external assets referenced with full URLs. You can also use scripts
> > inside the src attribute of img tags, as long as the end result is an
> > image content type... This is done quite commonly with HTML emails where
> > an img src is that of a PHP script (for instance) that records when the
> > script is accessed (and possibly by whom, by coordinating record ids
> > with the emails sent and the script doing the recording), but instead of
> > returning text or something of that nature, it sets the content-type
> > header to image/gif and pushes a 1x1 invisible gif to the client at the
> > end of the routine. However the data that can be collected is probably
> > very rudimentary as I have mentioned, since they are more than likely
> > only recording things like email sent, email opened, and links clicked,
> > to aggregate these as stats to measure the campaign, and is a pretty
> > standard practice with marketing emails and the delivery providers (such
> > as gotcorp or mailchimp).
> >
> >
> >
> >
> > +    eric m.
> > +     http://xentek.net
> > + + + + + + + + + + + + + +
> >
> >
> > "Security is mostly a superstition. It does not exist in nature, nor do
> > the children of men as a whole experience it. Avoiding danger is no
> > safer in the long run than outright exposure. Life is either a daring
> > adventure or nothing." - Helen Keller
> >
> >
> > On Jun 12, 2007, at 8:28 PM, Danux wrote:
> >
> >> Hi experts,
> >>
> >> Is there a way to know if exist a payload inside a PDF or HTML File,
> >>
> >> Let me explain the problem, i marketing company is sending me emails
> >> and is able to know if i open, delete, sent to spam or forward the
> >> message so i think there is a payload inside that files.
> >>
> >>
> >> Is there a tool to look inside PDF files?
> >> Or a Steganos tool to test the images from HTML file?
> >>
> >> What you think?
> >>
> >> Thanks in advance
> >>
> >>
> >>
> >>
> >>
> >> --Danux, CISSP
> >> Chief Information Security Officer
> >> Macula Security Consulting Group
> >> www.macula-group.com
> >
> >


--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com