exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

outlooksilent.txt

outlooksilent.txt
Posted May 18, 2004
Authored by http-equiv

Microsoft Outlook 2003 allows for a security zone bypass when an embedded OLE object with a reference to a Windows media file in a Rich Text Format (RTF) message is received.

tags | advisory
systems | windows
SHA-256 | 5bf5bc65e12021c3781270decf58bd776d636f05498f59327d50d8ef47731e58

outlooksilent.txt

Change Mirror Download
Monday, May 17, 2004

Technical final step to 'silent delivery and installation of an
executable on the target computer, no client input other than
reading an email' this can be achieved with the highly
touted 'secure-by-default' Outlook 2003 mail client from the
craftsman known as 'Microsoft'.

Default settings of the 'gadget' are: restricted zone which
means no active x controls, no scripting, no file downloads etc.

This can all very easily be bypassed by simply embedding in a
rich text message our OLE object, one Windows Media Player. We
then point our source url to our media file which includes or
now run-of -the mill 0s url flip and simply by previewing or
opening the email message invoke our device known as Internet
Explorer to proxy our manipulation of the recipient's machine.

In typical fashion despite the settings in the Windows Media
Player being set to 'disallow' scripting in media files, despite
Outlook 2003's 'highly' secure default setting of view html
content in the so-called 'restricted zone'; it all still works !

[screen shot: http://www.malware.com/rockitman.png 46KB]

This now all automates our process and coupling it with our
previous first step finding:

[http://www.securityfocus.com/bid/10307]

all we need to do next is our second step and embed the entire
package including the media file into the mail message and send
it along its merry way.

The whole Outlook 2003 'gadget' is broken.

Working Example:

Simply view the mail message:

http://www.malware.com/rockIT.zip

Notes:

1. Miserable selection of full screen = true can allow us to run
our 'video' in WMP full screen mode. How about that: forget
about html spam messages, now we have full screen video
advertisements on opening the mail message.
2. Tested on XP, 2K3 POP mail client settings Outlook 2003,
Exchange Server settings unknown at this time
3. Subject to initial WMP settings a notification of connection
settings can pop up, however generally dismissed at first
running of WMP along with neither yes or no selection having an
effect [as usual].
4. Firewalls should flag Outlook itself trying to escape out on
port 80. Nevertheless if all embedded no need for remote hosting.
5. Disable HTML settings or get another mail client [better of
the two as below]
6. Lots more where this came from


End Call

--
http://www.malware.com
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close