RE: Automatically opening IE + Executing attachments

["jelmer" <jelmer () kuperus xs4all nl>]

Files started from the temporary internet folder even by double clicking
on them by hand, are started in the internet zone (ie6 + win xp both
patched to the max)
thus the eudora scenario does not apply to outlook / outlook express

-----Original Message-----
From: GreyMagic Software [mailto:security () greymagic com] 
Sent: vrijdag 22 maart 2002 13:09
To: Bugtraq; NTBugtraq
Subject: Automatically opening IE + Executing attachments

GreyMagic Security Advisory GM#002-IE
=====================================

By GreyMagic Software, Israel.
22 Mar 2002.

Available in HTML format at http://security.greymagic.com/adv/gm002-ie/

Topic: Automatically opening IE + Executing attachments.

Discovery date: 15 Mar 2002.

Important note:
===============

We were not going to release this advisory until 27 Mar 2002 (10 days
after
contacting Microsoft), but since a similar advisory was made public by
Richard M. Smith we felt that there's no sense in waiting any longer.


Affected applications:
======================

Any application that hosts the WebBrowser control is affected since this
exploit does not require Active Scripting or ActiveX. Some of these
applications are:

* Qualcomm Eudora
* Microsoft Outlook
* Microsoft Outlook Express


Introduction:
=============

This advisory contains two issues, but since they are closely linked
together it was decided to release it as one.

The focus will be on the more generic issue, the ability to open the
Microsoft Internet Explorer application and have it fetch a URL
regardless
of the zone in which the user resides or the application in use.

WMV/WMA stands for Windows Media Video/Audio. It is a proprietary format
developed by Microsoft for video/audio streaming (also available for
offline
uses).

WMV/WMA generally plays under Windows Media Player and has the ability
to
include a form of script that lets developers control various aspects of
the
movie.


Discussion:
===========

One of the available script features is the URL command, which enables
the
player to open a URL at a specific time in the media's timeline.

This means that even if it is played in the "Restricted zone", it can
easily
open a URL in the "Internet zone" or any other zones in which a URL is
known
to exist and of which the attacker has control over.

A few methods are available for playing WMV/WMA on a web page:

* Windows Media Player, which requires use of the <object> element -
isn't
usable in the "Restricted zone".
* The <embed> element, which is sometimes filtered out (see Eudora).
* The dynsrc property of the <img> element.
* And more...


Exploit:
========

A good example of where this issue is dangerous is when an attacker
knows
the path to attached files.

Eudora is a popular email client; by default it uses the WebBrowser
control
for viewing email messages. However, it attempts to secure itself by
filtering out elements such as <iframe>, <object>, <embed>, etc.

Eudora stores its attachments (by default) in "C:/Program
Files/Qualcomm/Eudora/Attach", an attacker is likely to guess other
paths to
Eudora, such as different drive letters or similar minor changes.

When an email is sent to Eudora containing the following HTML content:

<style>
a, img { display:none; }
</style>
Hello, Eudora.
<img dynsrc="file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv">

And the following attachments:

* gmlaunch.wmv (~4 KB)
* gmbind.html (~1 KB)
* malicious.exe

The following chain of events occurs:

* The victim receives the email, Eudora automatically copies all
attachments
to "C:/Program Files/Qualcomm/Eudora/Attach" immediately.

* The victim clicks on the email in order to delete it or view it in the
preview pane.

* The HTML in the email renders, the style sheet removes any sign of the
attached files (Eudora shows them as <a> elements), the only indication
the
victim has to the fact there are attached files is the little icon next
to
the message.

* The <img> element causes the attached "gmlaunch.wmv" to play, the
victim
sees no sign of any media playing thanks to the style sheet again.

* "gmlaunch.wmv" opens Microsoft Internet Explorer and points it at the
attached "gmbind.html".

* "gmbind.html" (now in the "My Computer zone") immediately issues a
"blur()" DOM command, increasing the chance of the victim not to notice
it.

* "gmbind.html" then continues to include an <object> element with its
codebase attribute pointing at the attached "malicious.exe".

* "malicious.exe" is executed, the attacker now has full control over
the
victim's computer.

All this happens in less than 2 seconds, there is hardly anything the
user
can do to prevent this chain reaction once the email is viewed.

This exploit is not limited to Eudora in any way and can be utilized in
any
application that uses the WebBrowser control (even in the "Restricted
zone")
and has a predictable path to attached files.

Tested and confirmed to work with Qualcomm Eudora 5.1, prior versions
may be
affected as well.


Note:

It's theoretically possible to do the same with Outlook and Outlook
Express
by using the cid: protocol instead of the known path. When the URL that
"gmlaunch.wmv" tries to open is relative (i.e: "some.html" instead of
"file://c:/some.html") it is opened relatively to the folder which
contains
"gmlaunch.wmv" - the Temporary Internet Files folder in this case.

The rest is pretty similar from there on, except that some well-known
trickery is needed in order to put the attached files in the temporary
files
folder and that some more scripting is needed on the opened HTML in
order to
parse the path and inject it to the <object> element.

However, we did not have time to fully test the above with Outlook.


Solution:
=========

Eudora users: Do not use the WebBrowser control to view messages, go to
Tools -> Options -> Viewing Mail, uncheck "Use Microsoft's viewer". You
could also change the attachments folder to something unique [1].

Vendors using the WebBrowser control: Under no circumstances use
predictable
paths for foreign attachments.

Microsoft was first informed on 17 Mar 2002, they have opened an
investigation regarding this issue.
Qualcomm was informed on the same day, we did not receive a reply.

[1] http://eudora.com/techsupport/kb/2020hq.html


Tested on:
==========

The following tested applications all automatically open Microsoft
Internet
Explorer as a result of running WMV/WMA.

* Microsoft Internet Explorer 5/5.5/6.
* Qualcomm Eudora 5.1, "Sponsored mode".
* Microsoft Outlook Express 5/6.
* Microsoft Outlook 2000.


Feedback:
=========

Please mail any questions or comments to security () greymagic com.

- Copyright C 2002 GreyMagic Software.