[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Using data: URLs for malware injection

To: <full-disclosure@xxxxxxxxxxxxxxxx>, "Michael Holzt" <kju-fd@xxxxxxxx>
Subject: Re: [Full-Disclosure] Using data: URLs for malware injection
From: "Rafel Ivgi" <rivgi@xxxxxxxxxx>
Date: Wed, 12 Jan 2005 10:34:43 +0200

I confirm on my Opera

Version 7.54  
Build 3869  
Platform Win32  
System Windows XP  
Java Sun Java Runtime Environment version 1.4  
VoiceXML Plugin not available

EXECUTES PUTTY!!! SAID "NOTEPAD.EXE"

Rafel Ivgi
Security Consultant 
Malicious Code Research Center (MCRC)
Finjan Software LTD
E-mail: rivgi@xxxxxxxxxx
---------------------------------
Prevention is the best cure!
----- Original Message ----- 
From: "Michael Holzt" <kju-fd@xxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Sent: Tuesday, January 11, 2005 11:41 PM
Subject: [Full-Disclosure] Using data: URLs for malware injection


> 
> Using data: URL for malware injection
> 
> 2005/01/11, Michael Holzt, kju -at- fqdn.org
> based on work done by Darren Bounds (see text)
> 
> 
> 
> As described by Darren Bounds in an earlier posting [1], RFC2397 allows to
> embed data into an HTML formatted document. While Darren only used this for
> malicious images, i made some further research which shows that this can
> also be used to embed an executable file into the document. As shown by
> Darren, such embedded data is not detected by current AV gateways. This
> could be abused by websites (and probably HTML email too) for distributing 
> malware.
> 
> The attack works by using an URL scheme like this:
> 
>   <a href="data:application/x-msdos-program;base64,
>     [base64 data]">Click me!</a>
> 
> I've made an example available which embeds putty.exe. The example is about
> 500 kByte HTML and is available on http://kju.de/misc/putty.html. Please do
> not spread this URL outside of this list because of the traffic. Feel free
> to copy the example to your own webspace.
> 
> My tests with various windows based webbrowsers had the following results:
> 
>  - IE6 clicking on the link does nothing
> 
>  - Mozilla 1.5.4 will try to open the "what should i do with that" 
> file dialog and then hangs. needs to get killed.
> 
>  - Firefox 1.0 allows saving of the data to harddisk
> (on linux it will also display much rubbish
> in the save dialog)
> 
>  - Opera 7.5.4 tells that it will open the file with notepad
> (which sounds ok), but will then EXECUTE IT
> INSTEAD (without further warning).
> 
> The behaviour of Opera 7.5.4 seems like a major security bug to me. Can
> someone else confirm this behaviour?
> 
> 
> References:
> 
> [1] Posting by Darren Bounds on 2005/01/10,
>    <F873C22A-633A-11D9-97DC-000A95820F5E@xxxxxxxxxxxxxx> 
>    http://lists.netsys.com/pipermail/full-disclosure/2005-January/030724.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet 
Vital Security 1Box(tm)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Using data: URLs for malware injection
  - From: Michael Holzt

Prev by Date: RE: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER
Next by Date: [Full-Disclosure] UPDATE: [ GLSA 200412-25 ] CUPS: Multiple vulnerabilities
Previous by thread: [Full-Disclosure] Using data: URLs for malware injection
Next by thread: Re: [Full-Disclosure] Using data: URLs for malware injection
Index(es):
- Date
- Thread