anomy-list

RFC: Defanging of subject lines?

From: Bjarni R. Einarsson (08991@xyz.molar.is)
Date: Fim 18 Jan 2001 - 09:21:45 UTC


Hi guys,

I've got a pending 1.35 release, but I wanted to discuss one of it's
new features with y'all first.

It has come to my attention (see the attached messages) that Outlook
Express and perhaps other versions of Outlook may sometimes interpret
the message subject as a file name, and will in fact use that *in
stead* of the part's MIME-type.

This is a pretty serious issue, since it allows attackers to disguise
just about anything as an "image/gif" (for example) and slip it through
the sanitizer, but still have it executed as something dangerous on the
client's machine. There are also certain social-engineering aspects
involved, which are discussed below.

The easiest way to deal with this, is to just defang subject lines that
look like file names (end in a 1-4 letter extension). The pending
sanitizer release will mangle:

  Subject: foo.txt

Into:

  Subject: foo.txt-DEFANGED[1]

So my question is... is this a terrible idea? Are subject lines
sacred? :-) Obviously, I could make it configurable, but even if I do
I would want to have it active by default. What do you think?

Details about the exploit and my opinions on it follow:

----- Forwarded message from "John D. Hardin" <09074@xyz.molar.is> -----

From: "John D. Hardin" <09074@xyz.molar.is>
To: Email Security Announce list <09114@xyz.molar.is>
Subject: [Esa-l] HTML.dropper (fwd)
Date: Thu, 18 Jan 2001 00:09:06 -0800 (PST)

How in the world could MS possibly have written the mail program such
that it would interpret a long subjcet as an attachment name? BO,
anyone?

So what do we do? Arbitrarily limit all headers to 256 characters?

Sigh.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 09074@xyz.molar.is      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.
                                  -- Charles Murray
-----------------------------------------------------------------------
   17 days until she returns

---------- Forwarded message ---------- Date: Wed, 17 Jan 2001 09:09:14 -0800 From: "09153@xyz.molar.is" <09153@xyz.molar.is> To: 09194@xyz.molar.is Subject: HTML.dropper

Internet Explorer 5.5 and accompanying mail and news client afford us the unique ability to dictate which icons and file extensions we require. Specifically, we are able to manufacture an email message to appear as one thing when in fact it is not:

1. What?

By carefully calculating a certain length of characters in the subject field of an email message, Outlook Express 5.5 for whatever reason creates an attachment incorporating the text in the body of the message.

2. And

We have in fact not attached anything, yet there is a fully functional attachment. Furthermore we can dictate which file association and applicable icon we require in order to execute our file. We can create it to appear as an image file, sound file, html file etc. etc.

3. What does this mean:

MIME-Version: 1.0 To: 09153@xyz.molar.is Subject: .hta Content-Type: image/gif; charset=us-ascii Content-Transfer-Encoding: 7bit

This will create an email message with no reference to attachments in the headers.This can be particularly troublesome to content filtering gateways and/or security applications that strip attachments through header information that is content disposition: attachment; content-type: application/malware; filename: iloveyou.vbs

What the above does is create an attachment, which in this case is an *.hta file, but by manipulating the content-type, it is given an image file icon. We then include in the body of our email message the very simple code to execute whatever we wish, which is automatically incorporated into the manufactured attachment.

4. Working example below.

Note: Right-click and save to disk.To be opened in the mail client. Harmless WSH code to execute telnet.exe on the local machine.

http://www.malware.com/dropper.eml

5. The possibilities are endless. Any text based executable will suffice. It is also trivial to introduce outside code into the temporary internet folder, where the *.hta is opened. We can draw an executable into the TIF via the image tag (though it numbers), and also by the bgsound tag (which is not numbered).

The main problem lies in the fact that we can dictate the icon which has always been a goal of VX community to dupe recipients. Furthermore the fact that there are not legitimate header informations for content filtering and security application screening of attachments etc. is equally problematic.

Tested on IE5.5. and OE5.5. win98, fully patched and updated with all so-called service packs.

Notes:

1. There is still the security warning with opening the file. However the icon representing the content type should override, most if not all's concern.

2. The actual file extension (*.hta in this case) seems to have to appear in the security warning dialogue box, you can see it at the very end to execute. If the subject length is too long, it creates an odd *.tx file which calls up 'what do you want to open this with [something to this effect]' system requirement.

3. This appears to be somewhat similar to something examined several months ago:

http://www.malware.com/yoko.html

=== Irrelevant Notes:

a. We don't mind multi-million dollar security companies cutting and pasting our working examples into test sites to promote their products, you can at least acknowledge who's creation it is.

b. We received numerous unsolicited offerings to acquire our domain, ranging from ridiculous quantums of currency to bizarre JV proposals. We will examine for the next several months proposals under both circumstances and should anyone have genuine interest, contact 09239@xyz.molar.is, all communications will be held in the strictest of confidence. Time-wasters will be shown the door however.

end call ===

--- http://www.malware.com

|

_______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/

_______________________________________________ E-mail Security Announce list mailing list E-mail Security Announce 09274@xyz.molar.is http://www.spconnect.com/mailman/listinfo/esa-l

----- End forwarded message ----- ----- Forwarded message from "Bjarni R. Einarsson" <08991@xyz.molar.is> -----

Date: Thu, 18 Jan 2001 08:46:24 +0000 From: "Bjarni R. Einarsson" <08991@xyz.molar.is> To: "John D. Hardin" <09074@xyz.molar.is> Cc: Email Security Announce list <09114@xyz.molar.is> Subject: Re: [Esa-l] HTML.dropper (fwd) X-Mailer: Mutt 1.0i

On 2001-01-18, 00:09:06 (-0800), John D. Hardin wrote: > > How in the world could MS possibly have written the mail program such > that it would interpret a long subjcet as an attachment name? BO,

It's User Friendly! :)

> So what do we do? Arbitrarily limit all headers to 256 characters?

I think this particular problem can be defanged simply by *appending* the word "DEFANGED" to unusually long subject lines. Hopefully few mailers will make stupid assumptions about subject lengths, but appending this word will remove any odd chance that the Subject's last few characters get interpreted as an extension name.

Actually, though, I'm somewhat sceptical of the validity of the Bugtraq post you quoted. I suspect the Subject: line isn't really important here - what's important is that Microsoft products tend to ignore MIME types, when it comes to actually executing/displaying something.

For example, it has long been known that Internet Explorer will ignore the MIME type of a file it downloads. Just try renaming one of your web pages to .txt and viewing it. It'll still appear as HTML.

So my theory is:

1. MIME type dictates icon, in the example case image/gif 2. "Magic" check on contents dictates how it is run - which is *not* image/gif in this exploit. It may be that fixing the Subject line provides some of the info used by the "magic" check - but this exploit may *not* depend on the contents of the Subject line alone.

This brings me back full-circle to my previous ponderings on making my sanitizer do magic checks of it's own, and reject, mangle or defang messages where the actual contents don't match the MIME headers... which is hard to do, but would work against this sort of stupidity.

Of course, verifying this little theory of mine will take some expirimentation. I'm going to try a few things at work today, I'll let you all know how it goes.

-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 08991@xyz.molar.is -><- http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

----- End forwarded message -----

-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 08991@xyz.molar.is -><- http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

-- This mailing list's home page is: http://mailtools.anomy.net/archives/anomy-list/ There you can find subscription instructions and possibly an archive. Molar.is is a free Icelandic mailing list service.



hosted by molar.is