carol clickme: Outlook Express 6.00

["http-equiv () excite com" <http-equiv () excite com>]

Wednesday, August 29, 2001

Trivial file attachment execution on the new Outlook Express 6.00 mail and
news client. This can be achieved with an amount of engineering and all new
so-called security features enabled.

The manufacturer http://www.microsoft.com has done a splendid job (so far)of
beefing up the security of her brand new Outlook Express mail and news
client:

a) default installation with setting in the so-called "restricted zone"
b) ability to "do not allow attachments to be saved or opened that could
potentially be a virus"
c) other "stuff"

Be that as it may, we can still force an attached *.exe file to rear its
ugly head and with an amount of engineering execute! it.

We once again embed our file in base64 inside a simple html frame:

<frameset rows="100%,*">
<frame src="malware.exe">
</frameset>

We then send that as an html mail message to the target computer. Upon
receipt,  the *.exe which should be disallowed by the new so-called security
feature, instead asks what the recipient would like to do with it.

(screen shot: http://www.malware.com/ohno.jpg 27KB)

what we do is manipulate the file extension to suggest that what we have on
offer is an innocent file. This coupled with our original message should
prove quite successful.

The problem is three-fold.

1) Even with the new so-called security feature setting: "do not allow
attachments to be saved or opened that could potentially be a virus", by
forcing our file in-between an html frameset, it defeats this so-called
security feature and automatically retrieves the attachment from the temp
file folder inviting the recipient to interact with it.

2. By simply renaming an *.exe to a *.bat, the file if accepted is
automatically opened vs. being asked whether installation should take place
which would then suggest caution.

3. By attaching the constructed mail message to a legitimate mail message,
we can slip in under the so-called new security feature setting: "do not
allow attachments to be saved or opened that could potentially be a virus"
and manipulate the recipient from there. It appears a message/rfc822 is
considered safe by the so-called security feature.

Self Explanatory Working Example:

A 'general purpose' mail message with attached constructed mail message.
Harmless *.exe included.

right-click and save to disk, open in the mail client

http://www.malware.com/nocigar.eml


Notes:

a) Tested on IE6.00 with OE6.00 "RELEASE" version and Windows 98
b) All so-called security settings in both IE6.00  and OE6.00  set to
disable including all new so-called security features ENABLED in the
mail client.
c) Probably does not require to be trojanised and should work if sent
directly to the target computer in one mail message.
d) It appears that only an assembly coded *.exe when changed to a *.bat
functions in this manner.
e) None of this is new. Reference 12 months ago:
http://www.malware.com/yoko.html).


---
http://www.malware.com









_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/