[Full-Disclosure] ROCKET SCIENCE: Outllook 2003

http-equiv_at_excite.com
Date: 05/17/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:044 - Updated libuser packages fix vulnerability"
    To: <full-disclosure@lists.netsys.com>
    Date: Mon, 17 May 2004 21:30:53 -0000
    
    

    Monday, May 17, 2004

    Technical final step to 'silent delivery and installation of an
    executable on the target computer, no client input other than
    reading an email' this can be achieved with the highly
    touted 'secure-by-default' Outlook 2003 mail client from the
    craftsman known as 'Microsoft'.

    Default settings of the 'gadget' are: restricted zone which
    means no active x controls, no scripting, no file downloads etc.

    This can all very easily be bypassed by simply embedding in a
    rich text message our OLE object, one Windows Media Player. We
    then point our source url to our media file which includes or
    now run-of -the mill 0s url flip and simply by previewing or
    opening the email message invoke our device known as Internet
    Explorer to proxy our manipulation of the recipient's machine.

    In typical fashion despite the settings in the Windows Media
    Player being set to 'disallow' scripting in media files, despite
    Outlook 2003's 'highly' secure default setting of view html
    content in the so-called 'restricted zone'; it all still works !

    [screen shot: http://www.malware.com/rockitman.png 46KB]

    This now all automates our process and coupling it with our
    previous first step finding:

    [http://www.securityfocus.com/bid/10307]

    all we need to do next is our second step and embed the entire
    package including the media file into the mail message and send
    it along its merry way.

    The whole Outlook 2003 'gadget' is broken.

    Working Example:

    Simply view the mail message:

    http://www.malware.com/rockIT.zip

    Notes:

    1. Miserable selection of full screen = true can allow us to run
    our 'video' in WMP full screen mode. How about that: forget
    about html spam messages, now we have full screen video
    advertisements on opening the mail message.
    2. Tested on XP, 2K3 POP mail client settings Outlook 2003,
    Exchange Server settings unknown at this time
    3. Subject to initial WMP settings a notification of connection
    settings can pop up, however generally dismissed at first
    running of WMP along with neither yes or no selection having an
    effect [as usual].
    4. Firewalls should flag Outlook itself trying to escape out on
    port 80. Nevertheless if all embedded no need for remote hosting.
    5. Disable HTML settings or get another mail client [better of
    the two as below]
    6. Lots more where this came from

    End Call

    -- 
    http://www.malware.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:044 - Updated libuser packages fix vulnerability"

    Relevant Pages

    • ROCKET SCIENCE: Outllook 2003
      ... no client input other than ... In typical fashion despite the settings in the Windows Media ... package including the media file into the mail message and send ... Tested on XP, 2K3 POP mail client settings Outlook 2003, ...
      (NT-Bugtraq)
    • ROCKET SCIENCE: Outllook 2003
      ... no client input other than ... In typical fashion despite the settings in the Windows Media ... package including the media file into the mail message and send ... Tested on XP, 2K3 POP mail client settings Outlook 2003, ...
      (Bugtraq)
    • Cannot use email links from Internet Explorer
      ... I have recently upgraded from Outlook Express to Outlook ... saying "cannot perform requested operation as mail client ... is not the default client or is incorrectly installed". ... checked the settings in IE 6.0 and it says the default ...
      (microsoft.public.outlook)
    • Re: IE 6 and Proxy Setting Exceptions
      ... searched on the TechNet DVD for this "Internal Client Concepts in ISA Server ... 2006" and I was able to get an understanding for the key, and value settings. ... ProgramName.EXE Disable/DisableEx 1 ...
      (microsoft.public.isa)
    • Re: Exch2K3 OWA & RWW "Loading..." issue
      ... On the server, I checked IIS management, the directory security -> IP ... compare settings with a available access OWA client? ... Add a web site to safe domains in everyone's Internet Explorer ...
      (microsoft.public.windows.server.sbs)