lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20080709083749.GA14491@trinidad.local>
Date: Wed, 9 Jul 2008 10:37:51 +0200
From: Alexander Klink <alexander@...nk.name>
To: bugtraq@...urityfocus.com
Subject: Re: Unauthorized reading confirmation from Outlook

Hi Augusto,

On Thu, Jul 03, 2008 at 04:48:17PM -0400, Augusto Paes de Barros wrote:
> I've just got an interesting idea about how a malicious e-mail sender
> could try to get a unseen by the recipient reading confirmation,
> including the IP address of the recipient. I was working on S/MIME
> messages and I thought about the signature validation process, where
[...]

> that is embedded in the signed message. A specially crafted
> certificate (not from a trusted CA) can be generated with an AIA
> (Authority Information Access) extension containing an URL controlled
> by the malicious sender. By doing that the sender will immediately
[...]

You seem to have rediscovered the issue that I reported on full-disclosure
on April 1st - see
https://www.cynops.de/advisories/AKLINK-SA-2008-002.txt
https://www.cynops.de/advisories/AKLINK-SA-2008-003.txt
https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
https://www.cynops.de/techzone/http_over_x509.html

Note that Office 2008, Microsoft Live Mail and Microsoft Mail on Vista
are also affected.

For those of you who want to try that out, you can send an empty email
to smime-http@...nk.name, which will send you back an email that
will trigger the vulnerability and provide you with a link to check
whether the HTTP request reached my server.

I have also talked at this year's EuSecWest about this issue (and some
others), see the slides here:
http://eusecwest.com/esw08/esw08-klink.pdf

> Microsoft was notified about this issue last May.

>From your blog entry I assume this is actually this May (May 2008)?
They have known since mid-January, tested a bit in February but have not
responded to my mails on how they intend to fix it ...

Cheers,
  Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ