i first saw it browsing a mac site, but apparently it's not only limited to macs ( i mean they are discussing it on a video game board) :
http://forum.teamxbox.com/showpost.php?p=10982646&postcount=89

the link to it is found on the page above, i know the there's rules against posting direct links to exploits and stuff on the forum.

basically it's a jpg that opens up a new window with an error message and then opens up outlook express with an "i love you" message to george bush.

anyone hear of this?

Saving it to the desktop (Debian), and opening it, i get this:
200468

saving it to a desktop in windows xp opens up outlook express with the "i love you" message to george bush.

also clicking on the link provided by the teamxbox member also opens up outlook express with the message (but not before getting a blank internet page with an error message in it).

this is kind of scary, suppose next time someone uses this exploit to run other executables on your pc like format or something else potentially destructive.

You're using SRP, don't sweat it too much:)
The only possible problem, is an extension you didn't add to SRP. I don't know how the executable-extensions business works.

Oh i forgot, clicking from IceWeasel (Firefox) does open Evolution, so i suppose there it's a browser thing. Which makes sense.

Me confused.

When I download it my firewall asks if I want to open outlook express (and I say no since I don't use it). But this only happens when I download it (without actually clicking on it). If my firewall is off my HIPS catches it.

When I actually try to open it (once it's downloaded), nothing happens, even with my firewall turned off.

I have to say. I've had it up to here (touching my forehead) with malware that doesn't work right on my system. I'm about to just give up and toss my computer in the garbage.

{QUOTE-> Me confused. <-QUOTE}

i don't know what to say. here is a pic of it in action on my pc in a limited user account:
http://i227.photobucket.com/albums/dd84/zopzop/screenshot.jpg

it works on macs too.

As shown in the link in the first post, this is nothing more than an html file spoofed as a jpg,
whose code is the mailto: tag set to trigger upon viewing the file.

The mailto: tag opens the default mail program, inserts the TO, Subject, and message body.

People with web pages use this feature all of the time - I do also - it's a shortcut for starting an email message
from within a web page.

This is done automatically unless the user has something in place to block the action,
as malwaretesting indicated.


----
rich

Use Pop Peeper (http://www.poppeeper.com/) or Popcorn (http://www.ultrafunk.com/products/popcorn/) to peruse your email.

Change your default mail client to accept plain text messages only.

So, apparently this is an issue with browsers (not really a vulnerability since nothing is actually sent). Code is executed when the browser downloads the file. Apparently it's not an issue after it's actually downloaded.

But, why does Firefox execute anything at all. I just asked it to download the file and save it on my computer. I never asked it to open the file or scan it in any way. It seems to me the browser should be totally neutral to the contents of a file you ask it to download. I would understand this scenario if I had actually asked Firefox to open the file.

So, that's why it doesn't make sense to me. But it's not really a huge issue. I don't think it could actually do anything malicious, but I'm not certain.

{QUOTE-> i don't know what to say. here is a pic of it in action on my pc in a limited user account:
http://i227.photobucket.com/albums/dd84/zopzop/screenshot.jpg

it works on macs too. <-QUOTE}

There was an element of tongue in cheek in my post. I guess it didn't come across like that. I'm sure if I disabled my security software, I would get the same result you showed in your screenshot.

{QUOTE-> As shown in the link in the first post, this is nothing more than an html file spoofed as a jpg,
whose code is the mailto: tag set to trigger upon viewing the file. <-QUOTE}

yes i understand this version is harmless. but what i was scared of is if there's a way someone could use this to launch format.com or something similar?

You would have to ask someone who has all of the code to see if this would be possible in this case.


----
rich

{QUOTE-> yes i understand this version is harmless. but what i was scared of is if there's a way someone could use this to launch format.com or something similar? <-QUOTE}

This is a browser issue, isn't it? Can a browser launch any random program, or does it just launch your mail client? I'm not sure of this, but I don't think a browser can just launch any random program. E-mail is the obvious exception (due to the relationship between a browser and mail client), which is why I think this "exploit" was made like this.

URI scheme (http://en.wikipedia.org/wiki/URI_scheme)
The mailto URL scheme (http://tools.ietf.org/html/rfc2368)
:)

{QUOTE-> This is a browser issue, isn't it? Can a browser launch any random program, <-QUOTE}Yes, many exploits have been set up as PoC to demonstrate launching of the calculator program - the .wmf exploit from a couple of years back, for example.

Here is another one using the browser directly - the old MS06-014 MDAC exploit, now requiring an unpatched IE to run.

The exploit downloaded an executable, renamed it to svchost.exe, then copied it to the tmp directory
and launched it.

I modified it to launch notepad.exe directly from the system. Partial code (won't work as is):


<html>
<script language="VBScript">

<snip>

fname1="C:\WINNT\notepad.exe"

<snip>

ShellExecute fname1

S.close
</script>
</html>


I created the file script.html and ran it in the browser:

200484
_________________________________________________________________

So, scripts in html code can do many things.

I never saw an instance in the wild where any of these exploits like .wmf launched a program already on the computer, or did damage to the computer.

(I would like to know if anyone has seen such examples of attacks in the wild)

Why trash the computer? The money to be made is in getting a rogue program on to the victim's computer.


----
rich

{QUOTE-> I never saw an instance in the wild where any of these exploits like .wmf launched a program already on the computer <-QUOTE}
I've not seen an example myself, but I can imagine exploit code launching another instance of the browser and use it as the downloader for the payload.

Yes, this is a bit different, and you may remember the Google redirect exploit, where IE crashes, then a hidden instance of IE starts which then connects out to download stuff.

The victim could restart IE and continue on, not realizing what is happening in the background.

But again, the end result is to download malware.

I'm thinking of exploits which do something besides that.


----
rich

{QUOTE-> I'm thinking of exploits which do something besides that. <-QUOTE}
Those exploits are nothing more than PoCs like the one you've just analyzed. As you said, destructive payloads aren't interesting right now. But the possibility is there: browser exploit > launch script engine (e.g., wscript.exe) > do nasty things (deleting files, etc)

Hi,

You should disable the browser's ability to automatically launch an external mail client:

In Firefox:

about:config

>> Completely disable:
network.protocol-handler.external.mailto set to false

Or at the very least:

>> Warn before launching:
network.protocol-handler.warn-external.mailto set to true

Mrk


P.S. I will even write a little article about this ...

{QUOTE-> But the possibility is there:... <-QUOTE}This brings to mind a pertinent question: in planning for security, how much weight should one give to possibilities?

One's mind can think of endless possibilities, which, if left to imagine the worst, can lead to never turning on one's computer!

In your example, one can disable the script engines. In considering more possibilities, one could end up crippling most of the functions of the computer, depending on what was disabled.

Here is one possibility I discussed recently with a friend:

Microsoft Security Bulletin MS08-021 – Critical
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx

{QUOTE-> This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file.

Workarounds for GDI Heap Overflow Vulnerability

Turn off metafile processing by modifying the registry

Impact of workaround.

Turning off processing of metafiles may cause the appearance of software or system components to decrease in quality. Turning off processing of metafiles may also cause the software or system components to fail completely. It has been identified to have a potential significant functionality impact and should be evaluated and tested carefully to determine its applicability.

Examples include the following:

• You cannot print on the computer.
• Some applications on the computer may be unable to display Clipart.
• Some scenarios that involve OLE rendering may break. Especially, it occurs when the object server is not active.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?

No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued. <-QUOTE}

If someone came to you (anyone here) having seen this security advisory, what would you advise? At this point, a patch has not yet been released. (I'll give my response later)

(One could substitute this thread's example of the mailto: exploit -- what would you advise someone who is concerned about this? Mrk's suggestion is for FireFox users)


----
rich

Hello,

Similar for Opera, about:config, mail, set handler to 0.

For IE users, this is a problem, because IE does not like mail handler being disabled. Best solution for IE seems to be:

-LUA (+SRP).
-DropMyRights if you use admin (with C or U token rather than N).
-Disabling Outlook Express and using other mail clients, with messages set to text only; disabling Outlook Express and not just using a different mail client, because IE might decide to open the links in OE anyhow.
- Not using IE ...

You can all test this at home - this is a benign example:

Here's html code, just copy-paste to a text editor, save as html, open in any of the browsers and see what happens:

<html>
<body>
<a href="mailto:mailaddress@somedomain.com">Click here</a>
</body>
</html>

If you set handler to 0 in Opera, Firefox, nothing happens.
If you set to warn in Firefox, you are asked whether you want to launch an external application - and which.

Mrk

What do you see as a potential threat in the use of the mailto: tag?


----
rich

Hello,
Haven't really thought about it in depth.
Gimme a few hours to ponder.
Mrk

If no real threat, why disable a useful function of the browser?

If the possibility of a threat exists, I would like to see where an attack used it.


----
rich

{QUOTE-> This brings to mind a pertinent question: in planning for security, how much weight should one give to possibilities? <-QUOTE}
IMO, it depends on the user's risk exposure and his/her level of paranoia. For example, I'd call hardware/BIOS rootkits a no threat for everybody (at least for now). On the other hand, I'd call destructive payloads as a very low risk threat for almost everybody. The risk would be higher for an user who:
- manages critical information (information that, if deleted/corrupted/hijacked, would bring great losses).
- doesn't know the state (up-to-date, outdated) of his/her backups or has no backups at all.
- has computer habits that make him/her prone to encounter malware-infested content (happy-clicking).
For security-conscious users, destructive payloads aren't a threat.

{QUOTE-> For security-conscious users, destructive payloads aren't a threat. <-QUOTE}Great line, lucas -- this should be in your signature!

{QUOTE-> saving it to a desktop in windows xp opens up outlook express with the "i love you" message to george bush.
<-QUOTE}

Must be from a Republican hacker. LOL ;D