COMMAND

	Outlook/Eudora can execute JavaScript in an HTML email message  although
	disabled

SYSTEMS AFFECTED

	Outlook 2002 Outlook Express Qualcomm Eudora 5.1

PROBLEM

	Richard M. Smith [http://www.ComputerBytesMan.com] says :
	

	Windows Media Player (WMP) reintroduces  the  ability  to  automatically
	execute JavaScript code from an HTML  email  message  in  Outlook  2002.
	JavaScript is disabled by  default  in  Outlook  2002,  because  it  can
	facilitate the creation of worms  and  other  malicious  code  which  is
	carried by HTML email messages. Using a number  of  simple  tricks,  WMP
	can  be  used  to  bypass  the  Outlook  security  settings  and   still
	automatically execute JavaScript, Java, and  ActiveX  code  in  an  HTML
	email message.
	

	Here is an outline of the steps needed to exploit this problem:
	

	1. An IFRAME tag is inserted into an HTML email message that  references
	a Windows Media Skin (.WMS) file. The .WMS can be loaded either  from  a
	Web site or from an attached file to the email message  using  the  CID:
	protocol. (Note: I have only tested downloading a .WMS file from  a  Web
	site.)
	

	2.  Because  .WMS  files  are  considered  safe  by  Windows,  WMP  will
	automatically be started by Outlook and  it  will  be  passed  the  .WMS
	file.
	

	3. The .WMS file contains a short bit of JavaScript code  in  an  onload
	handler which runs a Web page using the player.LauchURL()  method.  This
	onload handler is automatically executed when WMP opens the .WMS file.
	    

	4. The Web page from step 3 can be  loaded  from  a  Web  site,  or  the
	source code of the Web page can be embedded in the .WMS file  using  the
	\"about:\" or \"javascript:\" protocol.
	

	 Notes

	 =====

	

	1. Other WMP file types besides a Windows Media skin file  can  be  used
	in step 1.  These file types include .WMZ, .WMD, and .WMA files.
	

	2. This problem is more of an  example  of  poor  security  policies  in
	Outlook and WMP and is not really a security hole in the classic sense.
	

	3. Outlook Express and earlier versions of Outlook likely have the  same
	security problem even with all security protections set to the maximum.
	

	4. Hotmail however does not seem to have this security  problem  because
	it discards IFRAME tags. Other Web-based  email  systems  however  would
	have the same security problem as Outlook if they do  not  do  filtering
	of IFRAMEs.
	

	 Update (25 March 2002)

	 ======

	

	GreyMagic Software adds [http://security.greymagic.com/adv/gm002-ie/} :
	

	Eudora is a popular email client; by  default  it  uses  the  WebBrowser
	control for viewing email  messages.  However,  it  attempts  to  secure
	itself by filtering  out  elements  such  as  <iframe>,  <object>,
	<embed>, etc.
	

	Eudora   stores   its   attachments   (by   default)   in   \"C:/Program
	Files/Qualcomm/Eudora/Attach\", an attacker is  likely  to  guess  other
	paths to Eudora, such  as  different  drive  letters  or  similar  minor
	changes.
	

	When an email is sent to Eudora containing the following HTML content:
	

	<style>

	a, img { display:none; }

	</style>

	Hello, Eudora.

	<img dynsrc=\"file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv\">

	

	And the following attachments:
	 

	* gmlaunch.wmv (~4 KB)

	* gmbind.html (~1 KB)

	* malicious.exe

	

	The following chain of events occurs:
	

	* The  victim  receives  the  email,  Eudora  automatically  copies  all
	attachments to \"C:/Program Files/Qualcomm/Eudora/Attach\" immediately.
	

	* The victim clicks on the email in order to delete it  or  view  it  in
	the preview pane.
	

	* The HTML in the email renders, the style sheet  removes  any  sign  of
	the attached files (Eudora shows them  as  <a>  elements),  the  only
	indication the victim has to the fact there are attached  files  is  the
	little icon next to the message.
	

	* The <img> element causes the  attached  \"gmlaunch.wmv\"  to  play,
	the victim sees no sign of any media playing thanks to the  style  sheet
	again.
	

	* \"gmlaunch.wmv\" opens Microsoft Internet Explorer and  points  it  at
	the attached \"gmbind.html\".
	

	* \"gmbind.html\" (now in the \"My Computer zone\")  immediately  issues
	a \"blur()\" DOM command, increasing the chance of  the  victim  not  to
	notice it.
	

	* \"gmbind.html\" then continues to include an <object> element  with
	its codebase attribute pointing at the attached \"malicious.exe\".
	

	* \"malicious.exe\" is executed, the attacker now has full control  over
	the victim\'s computer.
	

	All this happens in less than 2 seconds, there is  hardly  anything  the
	user can do to prevent this chain reaction once the email is viewed.
	

	This exploit is not limited to Eudora in any way and can be utilized  in
	any  application  that  uses  the  WebBrowser  control  (even   in   the
	\"Restricted zone\") and has a predictable path to attached files.
	

	

	 Note:

	 ====

	

	It\'s theoretically possible to do the same  with  Outlook  and  Outlook
	Express by using the cid: protocol instead of the known path.  When  the
	URL that \"gmlaunch.wmv\" tries to open is relative (i.e:  \"some.html\"
	instead of \"file://c:/some.html\")  it  is  opened  relatively  to  the
	folder which contains \"gmlaunch.wmv\" - the  Temporary  Internet  Files
	folder in this case.
	

	The rest is pretty similar from there on, except  that  some  well-known
	trickery is needed in order to put the attached files in  the  temporary
	files folder and that some more scripting is needed on the  opened  HTML
	in order to parse the path and inject it to the <object> element.
	

	

	 Another exploit sample by http-equiv@malware.com

	 ======================

	

	Hereunder  is  a  different  technique  incorporating   both   GreyMagic
	Software\'s findings and Richard M Smith\'s recent findings.
	

	Commence like so:
	

	a) <img src=\"malware.html\">

	b) <img src=\"malware.wma\">

	c) <img src=\"malware.exe\">

	

	Construct an html mail message and fire it off to the Eudora  recipient.
	Default install of Eudora includes:
	

	\'allow executables in HTML content\' DISABLED 

	\'use Microsoft viewer\' ENABLED 

	

	along with known path name (on win98) of the embedded folder  or  attach
	folder. In this scenario we are embedding the files and expect  them  to
	end up in the embedded folder located here:
	

	C:\\Program Files\\Qualcomm\\Eudora\\Embedded

	

	Everything is almost the same as GreyMagic Software\'s  findings  except
	as follows:
	

	Mail message  is  received  and  opened  by  the  recipient.  All  three
	embedded files are transferred silently and instantly  to  the  embedded
	folder:
	

	image a) includes the following very simple html code:

	

	<iframe src=\"malware.wma\">

	<applet CLASSID=\'CLSID:11111111-1111\' CODEBASE=\'malware.exe \'>

	

	image b) contains our run-of-the-mill 0s media file with script 

	command URL flip. This url flip points to malware.html. Note any one 

	of a number of media files can contain this.

	

	image c) is our friendly *.exe

	

	All files now transferred to the embedded folder. We need to access  our
	malware.html to trigger everything of. How so?
	

	Our old friend the very simple  the  very  simple  HTTP-EQUIV  meta  tag
	known as refresh
	

	<meta http-equiv=\"refresh\"content=\"5;  url=C:\\Program 

	Files\\Qualcomm\\Eudora\\Embedded\\malware.html\"> 

	

	note: with or without \'allow executables in  HTML  content\'  the  meta
	refresh functions as designed.
	

	What happens is, the mail message is viewed, the  meta  refresh  springs
	open the malware.html file located in the embedded  folder.  Because  we
	have transferred this file through either attachment or embedded it,  it
	bypasses  Eudora\'s  security  of  stripping  questionable   html   tags
	[<object...;  <iframe..etc],  the  malware.html   is   opened   in
	Eudora\'s Microsoft  viewer  and  as  Richard  M  Smith  indicates,  the
	malware.wma is considered safe and automatically opened by  the  iframe.
	This invokes Windows Media Player, which in turn  reads  the  0s  script
	command URL flip, which is pointing back to our malware.html,  which  in
	turn also contains our codebase object that fires the malware.exe.
	

	note: <object directly  inside  malware.html  fails  because  \'allow
	executables in HTML content\' is still disabled,  hence  the  circuitous
	routing via the iframe, opening the media file, url  flip  back  to  the
	malware.html in the browser outside of the security zone.
	

	All because they are all located inside the embedded folder, with  known
	location on default installs,  which  are  outside  of  the  IE  browser
	security settings.
	      

SOLUTION

	 Recommendations

	 ===============

	

	1.  Outlook  2002  should  not  execute  files  downloaded  by
	    an HTML IFRAME tag.  All file types except for HTML, text, 

	    and  image  files  should  be  discarded  by  Outlook 2002

	    if used in an IFRAME.

	

	2.  All  WMP  file  types (.ASX, .WMS, .WMZ, .WMD, .WMA, etc.)
	    should  not  be marked safe for opening since many of them

	    can contain script code.  

	

	3.  The \"about:\" and \"javascript:\" protocols should be disabled
	    in the player.LauchURL() method.

	

	 Eudora users : 

	 ============

	

	Do not use the WebBrowser control to  view  messages,  go  to  Tools  ->
	Options -> Viewing Mail, uncheck \"Use Microsoft\'s viewer\". You  could
	also change the attachments folder to something unique :
	

	http://eudora.com/techsupport/kb/2020hq.html