[NT] Outlook Express 6 Security Vulnerabilities
From: support@securiteam.comDate: 09/19/01
- Previous message: support@securiteam.com: "[NEWS] Hushmail.com Accounts Vulnerable to Script Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Outlook Express 6 Security Vulnerabilities Message-Id: <20010919203315.6B377138C1@mail.der-keiler.de> Date: Wed, 19 Sep 2001 22:33:15 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Outlook Express 6 Security Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Two major security vulnerabilities have been confirmed in Outlook Express
version 6. One is new to this version - the ability to execute scripted
code even on plain text messages, the other is an old one - concealed
attachment.
DETAILS
Vulnerable systems:
Outlook Express version 6.0
Plain text message scripting execution:
This is possibly the strangest "innovation" out of the manufacturer of
Outlook Express to date. The ability to execute Active Scripting in a
plain text mail message:
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Source: 11.09.01 http://www.malware.com
<scr!pt>alert("freak");alert("show")</scr!pt>
(NOTE: The character ! should be replaced with the character i)
The above is a legitimate RFC822 mail message in plain text. Ordinarily
one would require an html mail message [Content-Type: text/html;] to parse
html and scripting. The above functions under a plain text mail message in
Outlook Express 6.
It appears to be a very small 'sweet spot' about the maximum length of the
above characters from each opening angle bracket to closing angle bracket.
Additional tests suggest a few more characters can be 'squeezed' in as
well as a second line below it with about half the amount of characters.
Any additional will be parsed in plain text (as it should). Additionally,
it appears from these testings that only the <scr!pt> tags function like
this; other tags such as <!FRAME>, <OB!ECT>, etc parse correctly as plain
text.
Carefully note: active scripting is off by default in OE6. The above may
be of interest to SA's who might block active content and html tags at
their gateways using only the Content-Type: text/html; MIME header.
Working example [nothing but 'plain text']:
<http://www.malware.com/malware.zip> http://www.malware.com/malware.zip
Presence of an old vulnerability in outlook express:
You should also note with interest that a now 10-month-old vulnerability;
referred to as <http://www.securiteam.com/windowsntfocus/5TP0O0K35E.html>
html.dropper has been carried over to Outlook Express 6. This allows the
sender of a manufactured mail message to dictate whichever icon they
desire for an attachment:
Screen shot:
A screen shot is available at: <http://www.malware.com/madness.jpg>
http://www.malware.com/madness.jpg
The following fully functional working example is most definitely
self-explanatory and includes a harmless *.exe
<http://www.malware.com/bang.zip> http://www.malware.com/bang.zip
ADDITIONAL INFORMATION
The information has been provided by <mailto:sinkhole@malware.com>
Caretaker.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Hushmail.com Accounts Vulnerable to Script Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
