lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Jan 2008 22:28:34 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: <bugtraq@...urityfocus.com>
Subject: At long last -- Extra Outlooks!

As long as Outlook has been around, people have been trying to get two
instances running at the same time. Not multiple profiles that you can
load when starting Outlook, but two separate instances running
concurrently, each with their own associated profile. After all, Outlook
(even 2007) only lets you connect to a single Exchange server per
profile... And that sucks. 
What would be great is to have one instance connected up to your
"business" Exchange Server, and another connected up to your "personal"
Exchange Server (and of course, to other people's Exchange servers who
don't you know have an account on their box ;). 
If you've tried to do this, you've found that no matter what you do, you
can't run two (or more) Outlooks at the same time, even if you try
renaming .exe's, using command-line profile specifications, or any other
tricks.

However, while futzing around one day trying to get two Outlooks
running, I had what I thought was a great idea -- I'd configure a
separate profile for Outlook under a different user account, and then
use "RunAs" to launch Outlook as that user, and all of my dreams would
come true. Boy, was I excited.

Well, it didn't work. In fact, it didn't work so well that it scared me.

When Outlook was launched via "RunAs" (no matter whether I executed
Outlook.exe in a secondary "RunAs" command prompt or directly from the
the interactive session), what happened was that a separate instance of
Outlook did indeed launch, but it displayed the "concurrent" user's
folders and NOT those of the user used to RunAs - no matter how you
launched it! If during this time you viewed Task Manager, you would find
that even though you saw two differnt windows running, and though you
could interact with them individually (meaning, you could open different
sets of folders in each separately, but they were for the same user) you
only saw one instance of the .exe running. The first thing I thought was
"Voodoo!!" I then said to myself, "Self, even though you launched it in
a completely different user context, it hopped out of that user's space
and hijacked your concurrent logon's files! WTF?" 

During last year's Microsoft Ninjitsu training at Black Hat Vegas, I
brought it up to my class and we all concurred that voodoo was afoot -
even some Microsoft guys (who shall remain nameless) thought so and told
me to STFU and to contact MSRC before talking about it anymore since it
looked like Outlook was actually crossing user context borders.
True to "responsible disclosure," I called upon the skillz of Jason
Geffner, a "reverse engineer" I work with at NGSSoftware. Jason is one
of those irritatingly smart people that can do anything, so I knew he'd
help me out (Actually, we've got lots of people like that at NGS ;). As
it turns out, Outlook is doing nothing close to what I feared.
Basically, the second instance sees that another Outlook window is
running in the same interactive logon space, and when it starts, it just
calls another popup in the previous Outlook space and then terminates
itself (that's close enough, anyway). The good news is that there is no
"user hopping" or "boundary crossing" here. A more detailed explanation
of the actual technical process is available on Jason's site:
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2007/08
/10/234.aspx

The really good news is that Jason was able to intercept the exit
process and patch the FindWindowA call to a NULL value, which started a
completely separate Outlook instance and allowed a different profile to
be selected on load! W00t! So, without further adieu, we are proud to
present you with our "ExtraOutlook" tool that allows you to launch as
many Outlook instances as you want. All you have to do is configure the
profiles you want, and then type: ExtraOutlook.exe "C:\Program
Files\Microsoft Office\Office12\OUTLOOK.EXE" (after you download it, of
course).

Attendees of past Microsoft Ninjitsu classes have been using it for some
time now (as all attendees get special access to the Hammer of God
Member's Site) and we've not heard of any catastrophic failures (you
know, like having all mailbox data destroyed without any hope of
recovery). 

"ExtraOutlook" is available from: 
http://hammerofgod.com/download.html

Of course, use it at your own risk, and all standard warnings and
disclaimers apply. Go nuts.


t

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ