Outlook mailto: URL argument injection vulnerability
From: Jouko Pynnonen (jouko_at_IKI.FI)
Date: 03/10/04
- Previous message: Albers, Lucas: "iDEFENSE Security Advisory 02.27.04a: WinZip MIME Parsing Buf fer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Mar 2004 17:13:14 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
OVERVIEW
========
Microsoft Outlook contains a vulnerability which allows execution of
arbitrary code when a victim user views a web page or an e-mail message
created by an attacker.
DETAILS
=======
During Outlook installation, a mailto: URL handler is registered to the
system. When a mailto: URL is opened, the system starts OUTLOOK.EXE
with the following arguments:
OUTLOOK.EXE -c IPM.Note /m "mailto:email@address"
If the URL contains a quote symbol, additional command line arguments
can be injected to OUTLOOK.EXE. The program recognizes several command
line switches. Also a startup URL to be opened by Outlook can be
supplied on command line. This URL can be a javascript: URL, and if the
"Outlook today" page is the current view in Outlook, the JavaScript
code will be executed in the "Local machine" zone. This allows an
attacker to e.g. download and start a desired EXE program.
A web page or e-mail message exploiting this flaw may contain for
instance an IMG tag to refer to a mailto: URL. The victim user need not
click on a link.
If the "Outlook today" view isn't the default view in Outlook, the
attacker can still carry out the attack by using two mailto: URLs; The
information in the mitigating factors section of Microsoft's bulletin
regarding this is inaccurate. The first mailto: URL would start
OUTLOOK.EXE and cause it to show the "Outlook today" view, and the
second one would supply the offending JavaScript code. This scenario
was verified by an exploit.
The issue is not a standard "cross site scripting" vulnerability, but a
different kind of injection attack. The exploit can inject command line
switches and arguments to OUTLOOK.EXE because quote symbols in the URL
aren't escaped or otherwise processed. This can be considered a new
vulnerability category, and further investigation has shown that
similar attacks can be carried out against other software which register
a URL handler.
AFFECTED VERSIONS
=================
According to Microsoft the affected supported versions are Microsoft
Office XP SP2 and Microsoft Outlook 2002 SP 2. Some earlier versions
are vulnerable too, but not supported by the vendor.
SOLUTION
========
Microsoft was informed on July 21st, 2003 and has released an update
to correct the problem. A bulletin describing the update can be seen
at
http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx
CREDITS
=======
The vulnerability was discovered and researched by Jouko Pynnönen,
Finland.
-- Jouko Pynnönen Web: http://iki.fi/jouko/ jouko@iki.fi GSM: +358 41 5504555 ----- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field. -----
- Previous message: Albers, Lucas: "iDEFENSE Security Advisory 02.27.04a: WinZip MIME Parsing Buf fer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
