[NT] Outlook 2003 File Upload And Execution Vulnerability

• Previous message: SecuriTeam: "[NT] Agnitum Outpost Firewall Pro DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 May 2004 18:10:50 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Outlook 2003 File Upload And Execution Vulnerability
------------------------------------------------------------------------

SUMMARY

Microsoft Outlook provides an integrated solution for managing and
organizing e-mail messages, schedules, tasks, notes, contacts, and other
information.

A vulnerability exists in Outlook 2003 that allows a user sending an
e-mail message to place a file in a well-known location on the system.
That in turn allows tricking a user into opening the file and then any
code can execute on the machine.

DETAILS

Vulnerable Systems:
 * Microsoft Outlook 2003

There is a fundamental design flaw in the way Outlook stores files on the
user's machine. For example, Outlook will copy a file into a well-known
location, with the specified name:
<img src="malware.htm" style="display:none">

The above image link can be placed inside an HTML Email message. When a
user opens the message and replies, the file is copied into that user's
local temp folder and can be found at:
C:\Documents and Settings\<user name>\Local Settings\Temp\malware.htm

In order to exploit this, the user must be tricked into executing the file
somehow. This can be done by sending another message with a spoofed URL
that is pointing to the malicious file uploaded in the previous step. What
makes this vulnerability exploitable is the fact that the attacker doesn't
have to known the victim's username in order to reach the file on the
victim's machine. It is possible to use a spoofed URL in the following
form:
<a href="shell:user profile\\local
settings\\temp\\malware.htm">http://office.microsoft.com/>

Which is a synonymous way of reaching the same location in the file
system. When the user clicks the link, the uploaded file will be executed.

ADDITIONAL INFORMATION

The information has been provided by <mailto:1@malware.com> http-equiv
(Malware).

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Agnitum Outpost Firewall Pro DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]