exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

outlook032004.txt

outlook032004.txt
Posted Mar 11, 2004
Authored by Jouko Pynnonen | Site klikki.fi

Microsoft Outlook contains a vulnerability which allows execution of arbitrary code when a victim user views a web page or an e-mail message created by an attacker. According to Microsoft the affected supported versions are Microsoft Office XP SP2 and Microsoft Outlook 2002 SP 2. Some earlier versions are vulnerable too, but not supported by the vendor.

tags | advisory, web, arbitrary
SHA-256 | a99f1c18ee04688594c6a52ed176afb519764b78f2f8e40fa19a9bee468e49b3

outlook032004.txt

Change Mirror Download


OVERVIEW
========

Microsoft Outlook contains a vulnerability which allows execution of
arbitrary code when a victim user views a web page or an e-mail message
created by an attacker.



DETAILS
=======

During Outlook installation, a mailto: URL handler is registered to the
system. When a mailto: URL is opened, the system starts OUTLOOK.EXE
with the following arguments:

OUTLOOK.EXE -c IPM.Note /m "mailto:email@address"

If the URL contains a quote symbol, additional command line arguments
can be injected to OUTLOOK.EXE. The program recognizes several command
line switches. Also a startup URL to be opened by Outlook can be
supplied on command line. This URL can be a javascript: URL, and if the
"Outlook today" page is the current view in Outlook, the JavaScript
code will be executed in the "Local machine" zone. This allows an
attacker to e.g. download and start a desired EXE program.

A web page or e-mail message exploiting this flaw may contain for
instance an IMG tag to refer to a mailto: URL. The victim user need not
click on a link.

If the "Outlook today" view isn't the default view in Outlook, the
attacker can still carry out the attack by using two mailto: URLs; The
information in the mitigating factors section of Microsoft's bulletin
regarding this is inaccurate. The first mailto: URL would start
OUTLOOK.EXE and cause it to show the "Outlook today" view, and the
second one would supply the offending JavaScript code. This scenario
was verified by an exploit.

The issue is not a standard "cross site scripting" vulnerability, but a
different kind of injection attack. The exploit can inject command line
switches and arguments to OUTLOOK.EXE because quote symbols in the URL
aren't escaped or otherwise processed. This can be considered a new
vulnerability category, and further investigation has shown that
similar attacks can be carried out against other software which register
a URL handler.



AFFECTED VERSIONS
=================

According to Microsoft the affected supported versions are Microsoft
Office XP SP2 and Microsoft Outlook 2002 SP 2. Some earlier versions
are vulnerable too, but not supported by the vendor.



SOLUTION
========

Microsoft was informed on July 21st, 2003 and has released an update
to correct the problem. A bulletin describing the update can be seen
at

http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnönen,
Finland.




--
Jouko Pynnönen Web: http://iki.fi/jouko/
jouko@iki.fi GSM: +358 41 5504555
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close