SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (E-mail Client)  >  Outlook Express Vendors:  Microsoft
Microsoft Outlook Express Flaw in Parsing XML Using Internet Explorer Allows a Remote User to Silently Deliver and Install an Executable on a Target User's Computer
SecurityTracker Alert ID:  1004862
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 27 2002
Impact:  Execution of arbitrary code via network, Modification of system information, User access via network
Exploit Included:  Yes  
Version(s): 6
Description:  A vulnerability was reported in Microsoft Outlook Express. A remote user can send e-mail to a target user to cause an executable file to be silently delivered and installed on the target user's computer. Once installed, the file can be executed.

'http-equiv' reported that several previously disclosed exploit methods can be combined with a new method (described below) to cause Microsoft Outlook Express to install arbitrary executable code on the target user's computer. The exploit involves placing executable content in the Temporary Internet File folder.

According to the report, XML files (on Windows machines, of course) are associated with the Internet Explorer (IE) application and require a style sheet to be linked to the XML file. It is reported that the XSL style sheet can contain HTML and scripting code and can be embedded within the XML file itself to avoid security restrictions, as shown:

<?xml version="1.0" ?>
<?xml-stylesheet type="text/css"
href="http://www.malware.com/malware.css" ?>
<malware>

<h4 style="position: absolute;top:39;left:expression(alert
(document.location));font-family:arial;font-size:12pt;BACKGROUND-
IMAGE:url('http://www.malware.com/youlickit.gif ');background-
repeat:no-repeat;background-position: 100 30;z-index:-
100;height:200pt;width:400pt;font-family:Verdana;color:red">sure it
can, malware says so</h4>
</malware>

This code will generate an error in the XML parser but will execute the HTML and scripting. Because the file is opened from within the TIF folder by IE, the scripting code can determine the exact file location. With the knowledge of the specific file location, additional scripting can cause the file to be executed.

A demonstration exploit EML file (in zip format) is available at:

http://www.malware.com/cannotindeed.zip
Impact:  A remote user can silently place arbitrary executable files on the target user's computer. The file can then be executed using other previously disclosed methods.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (Any)
Reported By:  "http-equiv@excite.com" <http-equiv@malware.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 27 Jul 2002 19:27:48 -0000
From:  "http-equiv@excite.com" <http-equiv@malware.com>
Subject:  [Full-Disclosure] WHERE'S THE CA$H: Internet Explorer 6.00. Outlook Express 6.00

 

Saturday, July 27, 2002

Trivial lead-up to yet another silent delivery and installation of an 
executable on the target computer using Outlook Express 6. This can 
be achieved combining several past possibilities, specifically the 
following:

http://www.securityfocus.com/bid/1033
http://www.securityfocus.com/bid/2456

and here:

http://www.securityfocus.com/bid/4387 

And:

XML. In order to achieve the required results as outlined in the 
above, we must determine the location of the Temporary Internet File 
[TIF] folders.  This can only be achieved if we can physically open 
up our file from within and read its location. Technically that can 
only be achieved if we have a security dialogue prompt asking us for 
permission. For security reasons all embedded and attached files are 
transferred to the TIF upon opening the mail message. If we elect to 
open the file through acceptance of the security warning dialogue, it 
is opened from within the TIF by whatever program is associated with 
that file.

Okay:

Okay. XML. XML files are associated with Internet Explorer. It 
utilises an XML parser to parse the file for display in Internet 
Explorer. These files are peculiar little files that require an 
additional file called a style sheet [*.xsl] in order to process 
scripting and html. To do that, the file must be 'linked' to the XML 
file like so:

 <?xml version="1.0"?> 
<?xml-stylesheet type="text/xsl" href="malware.xsl" ?> 

where malware.xsl can contain our scripting and html.

And:

Well, for security purposes linking to a remote *.xsl fle is 
denied: "permission denied", so instead we force our scripting and 
html  into the XML file and into the XML parser directly:

<?xml version="1.0" ?>
<?xml-stylesheet type="text/css" 
href="http://www.malware.com/malware.css" ?>
<malware>

<h4 style="position: absolute;top:39;left:expression(alert
(document.location));font-family:arial;font-size:12pt;BACKGROUND-
IMAGE:url('http://www.malware.com/youlickit.gif');background-
repeat:no-repeat;background-position: 100 30;z-index:-
100;height:200pt;width:400pt;font-family:Verdana;color:red">sure it 
can, malware says so</h4>
</malware>

What this does is generate an error in the XML parser along with our 
html and scripting, and as a consequence, having the file opened up 
from within the TIF by Internet Explorer, we are once again able to 
determine our TIF location. Couple that with the aforementioned past 
possibilities and we are once again in business.

Working Example:

[nothing but text]

http://www.malware.com/cannotindeed.zip


[screen shot: http://www.malware.com/x-ma.png 17KB]

Important Notes:

1.On several test machines, recollection is foggy as to default 
status of *.xml in mail. Possibility is that 'confirm open after 
download' is not default.
2. On several test occasions, scripting was fired in mail and 
remotely on the web site despite 'active scripting off' both, however 
not reproducible consistentantly and may be related to processor 
speed and xml parser delay in parsing combination.
3. Test series of win98 machines, Internet Explorer 6.0.2600 and 
Outlook Express 6.0.2600 bandages and all
4. None.

End Call

-- 
http://www.malware.com









_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC