lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009501cb04ff$51c64130$010000c0@ml>
Date: Sun, 6 Jun 2010 01:33:31 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: DoS attacks on email clients via protocol handlers

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in email clients,
particularly in Outlook Express and Outlook. This advisory is concerned with
my series of advisories about vulnerabilities in browsers, which belong to
group of DoS via protocol handlers.

All those who doubt that these DoS vulnerabilities in browsers and email
clients are security vulnerabilities, must read my first advisory on this
topic (http://www.securityfocus.com/archive/1/511327/30/0/threaded). Where I
mentioned about Mozilla's MFSA 2010-23
(http://www.mozilla.org/security/announce/2010/mfsa2010-23.html), for which
created CVE-2010-0181
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0181). If they
consider img with mailto (via redirect) as vulnerability, then iframes with
different protocols is indeed vulnerability (in browsers and email clients).

-----------------------------
Advisory: DoS attacks on email clients via protocol handlers
-----------------------------
URL: http://websecurity.com.ua/4255/
-----------------------------
Affected products: Internet Explorer 6 (6.0.2900.2180), Outlook Express 6
and Outlook 2002 SP-2.
-----------------------------
Timeline:

26.05.2010 - found vulnerability in Internet Explorer 6 (which engine is
used in Outlook Express and Outlook).
26.05.2010 - informed Microsoft about this and others vulnerabilities in IE.
29.05.2010 - found vulnerabilities in Outlook Express and Outlook.
02.06.2010 - disclosed at my site.
-----------------------------
Details:

Last month I wrote about multiple DoS vulnerabilities in Firefox, Internet
Explorer, Chrome, Opera and other browsers via protocol handlers.

And after Vladimir Dubrovin aka 3APA3A drew my attention that these attacks
can be made via email
(http://www.securityfocus.com/archive/1/511539/30/0/threaded), I decided to
check how much email clients are vulnerable to these attacks. I.e. I checked
possibility of attacks not via webmails (which directly concerns the
mentioned vulnerabilities in browsers), but via desktop email clients. Which
are possible due to the same vulnerabilities in browsers, because email
clients often use browsers engines for showing of html-letters.

I checked these vulnerabilities in Outlook Express and Outlook, similar
attacks are potentially possible in other email clients (built-in email
client in Opera 9.52 is not affected). So all who wishes can check these
vulnerabilities in other clients, e.g. in Thunderbird and SeaMonkey.

I found Denial of Service vulnerabilities in Microsoft Outlook Express and
Outlook. Which are identical to vulnerabilities in Internet Explorer 6.
Taking into account that these email clients are using IE engine for showing
of html-letters, then these attacks are Cross-Application DoS
(http://websecurity.com.ua/2600/).

Attacks work in Outlook Express and Outlook only when option Internet zone
(OE) / Internet (Outlook) for IE security zone is selected. Taking into
account that by default Restricted sites zone is set, then all users which
are using default settings are in safe.

DoS:

http://websecurity.com.ua/uploads/2010/IE,%20OE%20&%20Outlook%20DoS%20Exploit.html

This exploit uses small amount of iframes with firefoxurl protocol and
crashes IE6, OE and Outlook.

In OE and Outlook does work attack via iframe with mailto, news, nntp and
firefoxurl protocols (and also with other protocols, if handlers of
corresponding protocols are set in the system), but doesn't work attack via
iframe with gopher protocol.

In OE these exploits trigger as at preview of the letters, as at their
opening. And in Outlook exploit with iframe with mailto triggers only at
opening of the letter, and exploits with iframe with news, nntp and
firefoxurl trigger as at preview of the letters, as at their opening.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ