[Esd-l] Extensions to poison: .wmv and possibly .wma

Brett Glass brett at lariat.org
Fri Mar 22 10:15:59 PST 2002 

See the description below for details....

--Brett Glass

>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: mailing list bugtraq at securityfocus.com
>Delivered-To: moderator for bugtraq at securityfocus.com
>From: "GreyMagic Software" <security at greymagic.com>
>To: "Bugtraq" <bugtraq at securityfocus.com>,
>        "NTBugtraq" <NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM>
>Subject: Automatically opening IE + Executing attachments
>Date: Fri, 22 Mar 2002 14:09:24 +0200
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>Importance: Normal
>
>GreyMagic Security Advisory GM#002-IE
>=====================================
>
>By GreyMagic Software, Israel.
>22 Mar 2002.
>
>Available in HTML format at http://security.greymagic.com/adv/gm002-ie/
>
>Topic: Automatically opening IE + Executing attachments.
>
>Discovery date: 15 Mar 2002.
>
>Important note:
>===============
>
>We were not going to release this advisory until 27 Mar 2002 (10 days after
>contacting Microsoft), but since a similar advisory was made public by
>Richard M. Smith we felt that there's no sense in waiting any longer.
>
>
>Affected applications:
>======================
>
>Any application that hosts the WebBrowser control is affected since this
>exploit does not require Active Scripting or ActiveX. Some of these
>applications are:
>
>* Qualcomm Eudora
>* Microsoft Outlook
>* Microsoft Outlook Express
>
>
>Introduction:
>=============
>
>This advisory contains two issues, but since they are closely linked
>together it was decided to release it as one.
>
>The focus will be on the more generic issue, the ability to open the
>Microsoft Internet Explorer application and have it fetch a URL regardless
>of the zone in which the user resides or the application in use.
>
>WMV/WMA stands for Windows Media Video/Audio. It is a proprietary format
>developed by Microsoft for video/audio streaming (also available for offline
>uses).
>
>WMV/WMA generally plays under Windows Media Player and has the ability to
>include a form of script that lets developers control various aspects of the
>movie.
>
>
>Discussion:
>===========
>
>One of the available script features is the URL command, which enables the
>player to open a URL at a specific time in the media's timeline.
>
>This means that even if it is played in the "Restricted zone", it can easily
>open a URL in the "Internet zone" or any other zones in which a URL is known
>to exist and of which the attacker has control over.
>
>A few methods are available for playing WMV/WMA on a web page:
>
>* Windows Media Player, which requires use of the <DEFANGED_object> element - isn't
>usable in the "Restricted zone".
>* The <DEFANGED_embed> element, which is sometimes filtered out (see Eudora).
>* The dynsrc property of the <DEFANGED_IMG> element.
>* And more...
>
>
>Exploit:
>========
>
>A good example of where this issue is dangerous is when an attacker knows
>the path to attached files.
>
>Eudora is a popular email client; by default it uses the WebBrowser control
>for viewing email messages. However, it attempts to secure itself by
>filtering out elements such as <DEFANGED_iframe>, <DEFANGED_object>, <DEFANGED_embed>, etc.
>
>Eudora stores its attachments (by default) in "C:/Program
>Files/Qualcomm/Eudora/Attach", an attacker is likely to guess other paths to
>Eudora, such as different drive letters or similar minor changes.
>
>When an email is sent to Eudora containing the following HTML content:
>
> <!-- <DEFANGED_STYLE>
>a, img { display:none; }
> --> </DEFANGED_STYLE>
>Hello, Eudora.
><DEFANGED_IMG dynsrc="file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv">
>
>And the following attachments:
>
>* gmlaunch.wmv (~4 KB)
>* gmbind.html (~1 KB)
>* malicious.exe
>
>The following chain of events occurs:
>
>* The victim receives the email, Eudora automatically copies all attachments
>to "C:/Program Files/Qualcomm/Eudora/Attach" immediately.
>
>* The victim clicks on the email in order to delete it or view it in the
>preview pane.
>
>* The HTML in the email renders, the style sheet removes any sign of the
>attached files (Eudora shows them as <a> elements), the only indication the
>victim has to the fact there are attached files is the little icon next to
>the message.
>
>* The <DEFANGED_IMG> element causes the attached "gmlaunch.wmv" to play, the victim
>sees no sign of any media playing thanks to the style sheet again.
>
>* "gmlaunch.wmv" opens Microsoft Internet Explorer and points it at the
>attached "gmbind.html".
>
>* "gmbind.html" (now in the "My Computer zone") immediately issues a
>"blur()" DOM command, increasing the chance of the victim not to notice it.
>
>* "gmbind.html" then continues to include an <DEFANGED_object> element with its
>codebase attribute pointing at the attached "malicious.exe".
>
>* "malicious.exe" is executed, the attacker now has full control over the
>victim's computer.
>
>All this happens in less than 2 seconds, there is hardly anything the user
>can do to prevent this chain reaction once the email is viewed.
>
>This exploit is not limited to Eudora in any way and can be utilized in any
>application that uses the WebBrowser control (even in the "Restricted zone")
>and has a predictable path to attached files.
>
>Tested and confirmed to work with Qualcomm Eudora 5.1, prior versions may be
>affected as well.
>
>
>Note:
>
>It's theoretically possible to do the same with Outlook and Outlook Express
>by using the cid: protocol instead of the known path. When the URL that
>"gmlaunch.wmv" tries to open is relative (i.e: "some.html" instead of
>"file://c:/some.html") it is opened relatively to the folder which contains
>"gmlaunch.wmv" - the Temporary Internet Files folder in this case.
>
>The rest is pretty similar from there on, except that some well-known
>trickery is needed in order to put the attached files in the temporary files
>folder and that some more scripting is needed on the opened HTML in order to
>parse the path and inject it to the <DEFANGED_object> element.
>
>However, we did not have time to fully test the above with Outlook.
>
>
>Solution:
>=========
>
>Eudora users: Do not use the WebBrowser control to view messages, go to
>Tools -> Options -> Viewing Mail, uncheck "Use Microsoft's viewer". You
>could also change the attachments folder to something unique [1].
>
>Vendors using the WebBrowser control: Under no circumstances use predictable
>paths for foreign attachments.
>
>Microsoft was first informed on 17 Mar 2002, they have opened an
>investigation regarding this issue.
>Qualcomm was informed on the same day, we did not receive a reply.
>
>[1] http://eudora.com/techsupport/kb/2020hq.html
>
>
>Tested on:
>==========
>
>The following tested applications all automatically open Microsoft Internet
>Explorer as a result of running WMV/WMA.
>
>* Microsoft Internet Explorer 5/5.5/6.
>* Qualcomm Eudora 5.1, "Sponsored mode".
>* Microsoft Outlook Express 5/6.
>* Microsoft Outlook 2000.
>
>
>Feedback:
>=========
>
>Please mail any questions or comments to security at greymagic.com.
>
>- Copyright ) 2002 GreyMagic Software.

More information about the esd-l mailing list