Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Outlook/Explorer Vulnerability
- From: Owen Creger
- Date: Tue Jun 27 11:12:10 2000
Under certain circumstances, Microsoft Internet Explorer and Outlook/Outlook
Express will download files to the local TEMP directory even if a user has
specifically cancelled a request to do so. The file could then be forcibly
executed via an ActiveX control. For forcible execution, the correct path to
the system's default temp folder must be specified in the ActiveX control,
so paths will be different for 9x, NT, and 2000. All paths in the examples
below are for 9x. If a malicious web site operator were to embed certain
tags in a base 64 encoded HTML frameset: Eg. <frameset rows="10%,*">
<frame src="file.exe" > </frameset> a File Download dialogue box would
appear when a user visits the webpage. This dialogue box would prompt the
user to either save or open the file, or cancel the download altogether. The
file will be downloaded to the TEMP directory regardless of what option a
user chooses, including cancel. This vulnerability still applies even if the
Security Zone settings are configured to disable downloads. In this case, a
dialogue box would appear stating that file downloads are not permitted,
however, the file would still be forcibly downloaded to the TEMP directory.
The second HTML frame would contain an ActiveX control with Class ID being
15589FA1-C456-11CE-BF01-00AA0055595A and a refresh tag: Eg. <frameset
rows="10%,*"> <frame src="file.exe" > <frame src="file2.mhtml" > </frameset>
<meta http-equiv="refresh"content="5;
url=mhtml:file://C:\WINDOWS\TEMP\file2.mhtml"> From here, the file
downloaded to the TEMP directory would be executed. The same results can be
achieved by sending two malformed email messages to a recipient. The first
email would consist of an HTML message containing a batch file: Eg.
<frameset rows="10%,*"> <frame src="file.bat" > </frameset> The email
recipient would be prompted whether or not they would like to save or open
the file, or cancel the download. As stated above, when choosing any of
these three options, the file will still be downloaded to the TEMP
directory. The second email would contain a malformed .url file such as:
Content-Type: application/octet-stream; name="Malformed URL.url"
Content-Transfer-Encoding: 7bit Content-Disposition: attachment;
filename="Malformed URL.url" [DEFAULT] BASEURL=C:\WINDOWS\TEMP\file.bat
[InternetShortcut] URL=C:\WINDOWS\TEMP\file.bat If the user was
deliberately mislead to click on the URL, the file downloaded to the TEMP
directory would be then executed.
Owen C. Creger
Senior Network Engineer
Holland Systems, Corp.
950 Victors Way Suite 100
Ann Arbor, MI 48108
phone: 734.663.3737 fax: 734.663.9500
beeper: 517.794.3056
ocreger@holland-systems.com
www.holland-systems.com
|
