SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Client)  >  Microsoft Outlook Express Vendors:  Microsoft
Microsoft Outlook Express Security Domain Flaw Lets Remote Users Silently Install and Execute Arbitrary Code
SecurityTracker Alert ID:  1006148
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 22 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6.00
Description:  A vulnerability was reported in Microsoft Outlook Express. A remote user can send a specially crafted HTML-based e-mail or newsgroup posting to cause arbitrary code to be silently installed and executed on the target user's computer when the target user views the message.

It is reported that this flaw may be related to the flaw originally reported in March 2002 in Microsoft Bulletin MS02-015 and affecting Internet Explorer (see Alert ID 1003915 or CVE Number CAN-2002-0078). According to the report, the patches related to MS02-015 should prevent this newly reported vulnerability, but do not.

The report states that, if an e-mail or newsgroup is read by the target user in the "Internet Zone", the demonstration exploit shown below will be effective:

<xml id=oExec> <security><exploit> <![CDATA[ <object id="oFile"
classid="clsid:11111111-1111-1111-1111"
codebase="C:\WINDOWS\FTP.EXE"></object>]]></exploit></security></xml>
<SPAN dataFld=exploit dataFormatAs=html
dataSrc=#oExec></SPAN>

The demonstration exploit (credited to Grey Magic) will open an existing binary on the target user's computer. However, the report states that Outlook Express will create a temporary file in the Internet Explorer cache and the report implies that [but does not confirm that] arbitrary code could be delivered via this temporary file.

It is reported that default installations of Outlook Express 6.00 are configured in the "Restricted Zone".
Impact:  A remote user can cause arbitrary code to be delivered to and executed on a target user's computer when the target user views the affected message, depending on the security zone settings for Outlook Express.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (Any)
Reported By:  "http-equiv@excite.com" <http-equiv@malware.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 22 Feb 2003 14:41:09 -0000
From:  "http-equiv@excite.com" <http-equiv@malware.com>
Subject:  [Full-Disclosure] O UTLO OK EXP RE SS 6 .00 : broken

 



Saturday, February 22, 2003

Technical silent delivery and installation of an executable no client 
input other than reading an email or viewing a newsgroup message. 
Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.

This should not be possible.

When viewing an email message or a newsgroup message, Outlook Express 
creates a temp file in the Internet Explorer cache.  From here 
security should be governed by Internet Explorer's security settings.

In an html email with internet zone applied, this will not function:

<object classid="clsid:11111111-1111-1111-1111" 
codebase="C:\WINDOWS\FTP.EXE"></object>

[screen shot: http://www.malware.com/tsktsk.png 11KB]

In an html email message or newsgroup message with internet zone 
applied this will function:

<xml id=oExec> <security><exploit> <![CDATA[ <object id="oFile" 
classid="clsid:11111111-1111-1111-1111" 
codebase="C:\WINDOWS\FTP.EXE"></object>]]></exploit></security><
/xml>
<SPAN dataFld=exploit dataFormatAs=html 
dataSrc=#oExec></SPAN>

courtesy of: http://sec.greymagic.com/adv/gm001-ie/

[screen shot: http://www.malware.com/tsktsktsk.png 11KB]

NOTE: that default installations of Outlook Express 6.00 are with 
restricted zone applied.  However there still remain many 'happy 
people' out there that enjoy their html mail messages and html 
newsgroup messages, and coupling the above with any one of a million 
other unsolved problems now and in the future with Internet Explorer 
and Outlook Express, including a new 
http://www.malware.com/stench.html we are back in business.

Notes: This is supposed to be patched: 
http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March 
2002

Keywords: experts Academic Advisory Board Think Tank security concepts

-- 
http://www.malware.com





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC