[NT] Weakness in GoldMine Email Manager Allows Arbitrary Code Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 05/29/03

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Sun-One Application Server" 
    To: list@securiteam.com
Date: 29 May 2003 19:38:37 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Weakness in GoldMine Email Manager Allows Arbitrary Code Execution
    ------------------------------------------------------------------------

    SUMMARY

    GlodMine allows you to "quickly and easily equips professionals, SOHOs
    (Small Offices/Home Offices), small businesses and teams with automated
    customer/contact management and workgroup tools". A vulnerability in the
    product allows remote attackers to cause the product to execute arbitrary
    code.

    DETAILS

    Vulnerable systems:
     * GoldMine versions 5.70 and 6.00 prior to version 30503

    By sending an especially mal-crafted email to a user who opens it with the
    GoldMine mail agent, a hacker can run arbitrary code of the hacker's
    choice on the user's computer. This includes remote Trojans, IRC zombies,
    Spyware, Malware, remote key loggers, or any program a hacker wants to.
    This program will be running inside the corporate network, behind the
    firewall and access anything the infected user has access to. The GoldMine
    mail agent does not even run the html email in the 'security zone' as does
    Microsoft(tm) Outlook, but passes anything that looks like HTML to be
    executed unrestricted directly to the default Browser (usually IE).

    User does not even have to open the email, as the default 'preview' option
    will pass the first few lines of the email to IE which will trigger the
    exploit, in fact, just highlighting the email in order to delete it could
    trigger the exploit.

    Exploit:
    No exploit is necessary, as there are already examples in viruses and
    Trojans that were designed to attack Microsoft Outlook and Outlook
    Express.

    Microsoft fixed these by patching both readers and allowing the user to
    set the security zone for reading HTML email in the 'insecure' settings.

    To see an exhaustive list of what can happen when email is passed to IE,
    see: <http://www.guninski.com/browsers.html>
    http://www.guninski.com/browsers.html

    Vendor Response:
    FrontRange immediately verified the existence of this vulnerability,
    created a patch and scheduled its release as soon as QA testing was done.
    FrontRange is concerned about it's users security and has issued a patch
    on May 29th for their current 6.0 version, as well as their legacy 5.70
    version.

    Solution:
    FrontRange advises its clients that they should upgrade to the latest
    version of GoldMine Business Contact Manager. Please see FrontRange
    support page for more information: <http://support.frontrange.com/>
    http://support.frontrange.com/.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:scheidell@secnap.net>
    Michael Scheidell.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Sun-One Application Server"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • [NT] Vulnerability in Microsoft Outlook Allows Code Execution (MS08-015)
      ... Get your security news from a reliable source. ... Vulnerability in Microsoft Outlook Allows Code Execution ... Microsoft Office Outlook. ... An attacker could then install programs; view, change, or delete data; or ...
      (Securiteam)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
      (Securiteam)
    • [NT] Outlook Express Cumulative Security Update (MS04-18)
      ... Get your security news from a reliable source. ... This update resolves a public vulnerability. ... If a user is running Outlook ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ...
      (Securiteam)