Re: O UT LO OK E XPRE SS 6 .00 : broken

[Thor Larholm]

Outlook Express is not the only vulnerable product.

The culprit here is the codebase localPath vulnerability which was patched
in Internet Explorer by MS02-015 in March 2002. GreyMagic had more fun with
this at http://security.greymagic.com/adv/gm001-ie/ which is also the origin
of the example displayed.

MS02-015 crippled codeBase quite severely in Internet Explorer, completely
removing most of its functionality in the Internet Zone. It is still
possible to use this vulnerability in Internet Explorer in any local
security zone, but getting to that zone in the first place is in itself an
obstacle.

Whatever Microsoft patched in MS02-015 (crippling codeBase in the Internet
Zone to avoid the command execution vulnerability) was only applied to the
IE-specific parts of MSHTML and not to any shared parts that thirdparty
programs such as Outlook and Outlook Express utilize. This despite our
impression that MS02-015 removed the problem.

This is apparent if you examine Outlook 2000 which can also execute
arbitrary commands automatically upon reading mails if you have set the
security zone to the Internet Zone - just like Outlook Express as displayed
by http-equiv

The default security zone for Outlook 2000 is the Internet Zone. It is first
after you apply Office 2000 Service Pack 3 that the default zone is changed
to the Restricted zone, so remember either to apply O2KSP3 or manually
change your zone settings to Restricted at your earliest convenience.

Does Eudora still use the Internet Zone for viewing HTML mail? If so, it is
also still vulnerable to the codeBase command execution vulnerability, like
any other application that is embedding MSHTML.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng-adv_pr.html


- Original Message -
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, February 22, 2003 4:36 PM
Subject: O UT LO OK E XPRE SS 6 .00 : broken


> Saturday, February 22, 2003
>
> Technical silent delivery and installation of an executable no client
> input other than reading an email or viewing a newsgroup message.
> Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.

Rest of original http-equiv post at
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0302&L=ntbugtraq&F=P
&S=&P=5888

The rest was snipped to avoid barking from premenstrual antivirus scanners.

O UT LO OK E XPRE SS 6 .00 : broken

[[EMAIL PROTECTED]]

Saturday, February 22, 2003

Technical silent delivery and installation of an executable no client 
input other than reading an email or viewing a newsgroup message. 
Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.

This should not be possible.

When viewing an email message or a newsgroup message, Outlook Express 
creates a temp file in the Internet Explorer cache.  From here 
security should be governed by Internet Explorer's security settings.

In an html email with internet zone applied, this will not function:



[screen shot: http://www.malware.com/tsktsk.png 11KB]

In an html email message or newsgroup message with internet zone 
applied this will function:

  


courtesy of: http://sec.greymagic.com/adv/gm001-ie/

[screen shot: http://www.malware.com/tsktsktsk.png 11KB]

NOTE: that default installations of Outlook Express 6.00 are with 
restricted zone applied.  However there still remain many 'happy 
people' out there that enjoy their html mail messages and html 
newsgroup messages, and coupling the above with any one of a million 
other unsolved problems now and in the future with Internet Explorer 
and Outlook Express, including a new 
http://www.malware.com/stench.html we are back in business.

Notes: This is supposed to be patched: 
http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March 
2002

Keywords: experts Academic Advisory Board Think Tank security concepts

-- 
http://www.malware.com