[NT] Outlook Express 6 Attachment Protection Bypassing

From: support@securiteam.com
Date: 08/30/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Outlook Express 6 Attachment Protection Bypassing
Message-Id: <20010830190947.0F170138BF@mail.der-keiler.de>
Date: Thu, 30 Aug 2001 21:09:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Outlook Express 6 Attachment Protection Bypassing
------------------------------------------------------------------------

SUMMARY

Outlook Express 6 is the newest version of the Outlook family currently
available to Windows users. This version has been built with tight
security restriction on attachment opening and execution. A security
vulnerability in the product allows attackers to bypass this protection
causing the user to open (and possible execute) arbitrary programs.

DETAILS

Vulnerable systems:
Outlook Express version 6.00

File attachment execution on the new Outlook Express 6.00 Mail and News
client is possible even though a protection scheme is in place.

The manufacturer Microsoft has done a very good (so far) job of beefing up
the security of the new Outlook Express mail and news client:

A) Default installation with setting in the so-called "restricted zone"
B) Ability to "do not allow attachments to be saved or opened that could
potentially be a virus"

Nevertheless, we can still force an attached *.exe file to the client and
cause the user to execute it.

As before (in previous Outlook problems), embed our file in base64 inside
a simple html frame:
<frameset rows="100%,*">
<frame src="malware.exe">
</frameset>

We then send that as an html mail message to the target computer. Upon
receipt, the *.exe that should be disallowed by the new so-called security
feature, asks what the recipient would like to do with it.

(Screen shot is available at: <http://www.malware.com/ohno.jpg>
http://www.malware.com/ohno.jpg 27KB)

What we do is manipulate the file extension to suggest that what we have
on offer is an innocent file. This coupled with our original message
should prove quite successful.

The problem is three-fold.

1) Even with the new so-called security feature setting: "do not allow
attachments to be saved or opened that could potentially be a virus",
forcing our file in an html frameset defeats this security feature and
automatically retrieves the attachment from the temp file folder inviting
the recipient to interact with it.

2) By renaming an *.exe to a *.bat, the file if accepted is automatically
opened vs. being asked whether installation should take place.

3) By attaching the constructed mail message to a legitimate mail message,
we can slip in under the so-called new security feature setting: "do not
allow attachments to be saved or opened that could potentially be a virus"
and manipulate the recipient from there. It appears a message/rfc822 is
considered safe by the security feature.

Example:
The following is a 'general purpose' mail message with attached
constructed mail message. A harmless exe file is included.

Right-click and save to disk, and then open in your mail client:
 <http://www.malware.com/nocigar.eml> http://www.malware.com/nocigar.eml

ADDITIONAL INFORMATION

The information has been provided by Malware.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] MHTML vulnerability in Outlook Express
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Outlook Express allows an attacker to run code of the ... If an attacker were to host a malicious website that contained an MHTML ...
    (Securiteam)
  • Bypassing SMTP Content Protection with a Flick of a Button
    ... How about using Outlook Express as ... more than an Outlook Express client and employs a rarely-used feature ... This RFC documented feature called "Message Fragmentation and ... comprehensive security policy to restrict potentially harmful content ...
    (Bugtraq)
  • [VulnWatch] Bypassing SMTP Content Protection with a Flick of a Button
    ... How about using Outlook Express as ... more than an Outlook Express client and employs a rarely-used feature ... This RFC documented feature called "Message Fragmentation and ... comprehensive security policy to restrict potentially harmful content ...
    (VulnWatch)
  • Re: How do I receive an access database?
    ... To provide enhanced security, Microsoft Office Outlook 2003 is designed to ... If you need to share files that have file types blocked by this feature, ... There is no control over those files (no settings within ...
    (microsoft.public.access.gettingstarted)
  • Re: Unsafe Attachments
    ... Teach Yourself Outlook 2003 in 24 Hours ... > Outlook 2002 includes a new security feature that blocks> attachments considered unsafe. ... > Request that the sender use a file compression utility> that changes the file extension. ...
    (microsoft.public.outlook.installation)