[NT] Microsoft Outlook "mailto:" Parameter Passing Vulnerability (MS04-009)

• Previous message: SecuriTeam: "[NT] Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 10 Mar 2004 11:04:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Microsoft Outlook "mailto:" Parameter Passing Vulnerability (MS04-009)
------------------------------------------------------------------------

SUMMARY

Microsoft Outlook provides an integrated solution for managing and
organizing e-mail messages, schedules, tasks, notes, contacts, and other
information.

A security vulnerability exists within Outlook 2002 that could allow
Internet Explorer to execute script code in the Local Machine zone on an
affected system. The parsing of specially crafted mailto URLs by Outlook
2002 causes this vulnerability. To exploit this vulnerability, an attacker
would have to host a malicious Web site that contained a Web page designed
to exploit the vulnerability and then persuade a user to view the Web
page.

The attacker could also create an HTML e-mail message designed to exploit
the vulnerability and persuade the user to view the HTML e-mail message.
After the user has visited the malicious Web site or viewed the malicious
HTML e-mail message an attacker who successfully exploited this
vulnerability could access files on a user's system or run arbitrary code
on a user's system. This code would run in the security context of the
currently logged-on user. Outlook 2002 is available as a separate product
and is also included as part of Office XP.

DETAILS

Affected Software:
 * Microsoft Office XP Service Pack 2- Download the update

 * Microsoft Outlook 2002 Service Pack 2- Download the update

Non Affected Software:
 * Microsoft Office 2000 Service Pack 3

 * Microsoft Office XP Service Pack 3

 * Microsoft Office 2003

 * Microsoft Outlook 2000 Service Pack 3

 * Microsoft Outlook 2002 Service Pack 3

 * Microsoft Outlook 2003

Mitigating factors:
 * When an Outlook profile is first created and at least one e-mail
account is set up during the initial configuration of the profile the
default folder home page is automatically changed from "Outlook Today" to
"Inbox."

 * Users are only at risk from this vulnerability when the "Outlook Today"
home page is their default folder home page. This is the default
configuration when an Outlook profile is created without any e-mail
accounts.

 * Users are only at risk from this vulnerability when Outlook 2002 is
configured as the default mail reader and when the "Outlook Today" home
page is their default folder home page. Installing other e-mail clients
may change this configuration as they can register themselves as the
default mail reader on the system.

 * If an attacker exploited this vulnerability, the attacker would gain
only the same privileges as the user. Users whose accounts are configured
to have few privileges on the system would be at less risk than users who
operate with administrative privileges.

Details:
Insufficient filtering of parameters passed to Microsoft Corp.'s Outlook
e-mail client via the "mailto:" URI (RFC 2368) allows for remote script
execution within the "Local Machine" zone. When Outlook is installed, it
is enabled as the default e-mail handler. A "mailto:" URI will spawn
Outlook with the following command line switches:

    OUTLOOK.EXE -c IPM.Note /m "...

The problem manifests when the string '"' is interspersed within the URI,
thereby allowing an attacker to manipulate the command line switches that
Outlook is instantiated with. The following example URI:

    ...mailto:aa" /profile "xx" ...

causes Internet Explorer to start Outlook as such:

    OUTLOOK.EXE -c IPM.Note /m "aa" /profile "xx"

If the "Outlook Today" view is the starting view, an attacker can
manipulate Outlook to start with a specified URL. In a default
installation, this is the case. The URL can be of the form
'javascript:...', allowing an attacker to execute arbitrary script code.
In some implementations, this script code executes under the context of
the "Local Machine" zone. An attacker does not need to socially engineer a
target user into clicking on a malicious link, as the process can be
started automatically by embedding the "mailto:" URI within an HTML <IMG>
tag.

Workaround:
Microsoft recommends the following workaround strategies:

- Do not use "Outlook Today" as the default home page in Outlook 2002.

- If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read
e-mail messages in plain text format to help protect yourself from the
HTML e-mail attack vector.

Specific details for implementing these workarounds can be found in the
MS04-009 advisory.

The Microsoft advisory states that "the "Outlook Today" home page is only
the default folder home page when an Outlook profile is originally
configured without any e-mail accounts". Our testing has shown that
default view is only changed from "Outlook Today" to "Inbox" when email
accounts are added via the wizard that appears when Outlook is first
launched. The default view does not change when email accounts are added
via either the "Tools...E-Mail Accounts" menu within Outlook or
"Start...Control Panel...Mail...E-Mail Accounts". This remains true for
Outlook 2002 SP3.

Solution:
Microsoft has released the following patches to address this issue:

Microsoft Office XP Service Pack 2
 
<http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en> http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

Microsoft Outlook 2002 Service Pack 2
 
<http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en> http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

Disclosure timeline:
October 10, 2003 Vulnerability acquired by iDEFENSE
November 12, 2003 Initial vendor notification
November 12, 2003 Initial vendor response
November 21, 2003 iDEFENSE clients notified
March 09, 2004 Coordinated public disclosure

What is the scope of the vulnerability?
A privilege elevation vulnerability exists within Outlook 2002, and its
handling of mailto URLs, that could allow Internet Explorer to execute
script in the Local Machine Zone on an affected system. Outlook 2002 is
available as a separate product and is also included as part of Office XP.
An attacker who successfully exploited this vulnerability could access
files on a user's system or run arbitrary code on a user's system.

Users are only at risk from this vulnerability when the "Outlook Today"
home page is their default folder home page. The "Outlook Today" home page
is only the default folder home page when an Outlook profile is originally
configured without any e-mail accounts. When an Outlook profile is first
created, for instance when Outlook is started for the first time, and at
least one e-mail account is set up during the initial configuration of the
profile the default folder home page is automatically changed from
"Outlook Today" to "Inbox".

What causes the vulnerability?
The vulnerability is caused by the way a mailto URL is interpreted by
Outlook 2002. By creating a specially formatted mailto URL it is possible
to get Outlook 2002 to interpret the URL in a manner that could allow code
execution.

What is a mailto URL?
The mailto URL scheme is defined in RFC 2368. The RFC states that "The
mailto URL scheme is used to designate the Internet mailing address of an
individual or service. In its simplest form, a mailto URL contains an
Internet mail address. For greater functionality, because interaction with
some resources may require message headers or message bodies to be
specified as well as the mail address, the mailto URL scheme is extended
to allow setting mail header fields and the message body."

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause
Internet Explorer to execute script in the Local Machine Zone on an
affected system. An attacker who exploited this vulnerability could access
files on a user's system or run arbitrary code on a user's system.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious
Web site that contained a Web page designed to exploit the vulnerability
and then persuade a user to view the Web page. The attacker could also
create an HTML e-mail message designed to exploit the vulnerability and
persuade the user to view the HTML e-mail message.

What systems are primarily at risk from the vulnerability?
Users who use Outlook 2002 as their default e-mail client and who have
"Outlook Today" as their default folder home page are primarily at risk
from this vulnerability.

I am using Outlook 2002, how do I know whether I am vulnerable?
The "Outlook Today" home page is only the default folder home page when an
Outlook profile is originally configured without any e-mail accounts. When
an Outlook profile is first created, for instance when Outlook is started
for the first time, and at least one e-mail account is set up during the
initial configuration of the profile the default folder home page is
automatically changed from "Outlook Today" to "Inbox".
You can verify what default folder home page you have in Outlook by
following these steps:

1. In Outlook 2002, click Options in the Tools menu.

2. Under the tab Other choose Advanced Options.

3. "Startup in this folder:" would typically say "Inbox" but it could also
be set to Outlook Today or any other Outlook folder.

If the "Startup in this folder" is set to "Outlook Today" and you do use
Outlook for e-mail then it is recommended that you instead set it to your
"Inbox".

Is Office 2000 or Office 2003 affected by this vulnerability?
No. These versions have tested and have been found to not be affected by
this vulnerability.

Are any versions of Outlook Express affected by this vulnerability?
No. However, if Outlook 2002 is configured as the default e-mail reader on
that system, reading a malicious HTML e-mail message with any version of
Outlook Express could allow the malformed mailto URL to be passed to
Outlook 2002. For Outlook Express 6 Service Pack 1 or greater, reading
e-mail message in plain text can be used as a work around for this type of
attack. For more information please see the Workarounds section in this
document.

What does the update do?
The update modifies the way that the mailto URL is processed by Outlook
2002.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.

The original article can be found at:
<http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]