Saturday, July 27, 2002 Trivial lead-up to yet another silent delivery and installation of an executable on the target computer using Outlook Express 6. This can be achieved combining several past possibilities, specifically the following: http://www.securityfocus.com/bid/1033 http://www.securityfocus.com/bid/2456 and here: http://www.securityfocus.com/bid/4387 And: XML. In order to achieve the required results as outlined in the above, we must determine the location of the Temporary Internet File [TIF] folders. This can only be achieved if we can physically open up our file from within and read its location. Technically that can only be achieved if we have a security dialogue prompt asking us for permission. For security reasons all embedded and attached files are transferred to the TIF upon opening the mail message. If we elect to open the file through acceptance of the security warning dialogue, it is opened from within the TIF by whatever program is associated with that file. Okay: Okay. XML. XML files are associated with Internet Explorer. It utilises an XML parser to parse the file for display in Internet Explorer. These files are peculiar little files that require an additional file called a style sheet [*.xsl] in order to process scripting and html. To do that, the file must be 'linked' to the XML file like so: <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="malware.xsl" ?> where malware.xsl can contain our scripting and html. And: Well, for security purposes linking to a remote *.xsl fle is denied: "permission denied", so instead we force our scripting and html into the XML file and into the XML parser directly: <?xml version="1.0" ?> <?xml-stylesheet type="text/css" href="http://www.malware.com/malware.css" ?> <malware> <h4 style="position: absolute;top:39;left:expression(alert (document.location));font-family:arial;font-size:12pt;BACKGROUND- IMAGE:url('http://www.malware.com/youlickit.gif');background- repeat:no-repeat;background-position: 100 30;z-index:- 100;height:200pt;width:400pt;font-family:Verdana;color:red">sure it can, malware says so</h4> </malware> What this does is generate an error in the XML parser along with our html and scripting, and as a consequence, having the file opened up from within the TIF by Internet Explorer, we are once again able to determine our TIF location. Couple that with the aforementioned past possibilities and we are once again in business. Working Example: [nothing but text] http://www.malware.com/cannotindeed.zip [screen shot: http://www.malware.com/x-ma.png 17KB] Important Notes: 1.On several test machines, recollection is foggy as to default status of *.xml in mail. Possibility is that 'confirm open after download' is not default. 2. On several test occasions, scripting was fired in mail and remotely on the web site despite 'active scripting off' both, however not reproducible consistentantly and may be related to processor speed and xml parser delay in parsing combination. 3. Test series of win98 machines, Internet Explorer 6.0.2600 and Outlook Express 6.0.2600 bandages and all 4. None. End Call -- http://www.malware.com
This archive was generated by hypermail 2b30 : Sun Jul 28 2002 - 01:10:33 PDT
