24th Feb 2003 [SBWID-6020]
COMMAND
IE Shared codebase of (eg. in Outlook) allows silent delivery and exec
of code
SYSTEMS AFFECTED
Windows current ?? (as of 24 Februrary 2003)
PROBLEM
http-equiv [[email protected]] [http://www.malware.com] posted :
Technical silent delivery and installation of an executable no client
input other than reading an email or viewing a newsgroup message.
Outlook Express 6.00 SP1 Cumulative Pack 1 2 3 4 whatever.
This should not be possible.
When viewing an email message or a newsgroup message, Outlook Express
creates a temp file in the Internet Explorer cache. From here security
should be governed by Internet Explorer's security settings.
In an html email with internet zone applied, this will not function:
<o bject classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
code base="C:WINDOWSFTP.EXE"></object>
[screen shot: http://www.malware.com/tsktsk.png 11KB]
In an html email message or newsgroup message with internet zone
applied this will function:
<xml id=oExec> <security><exploit> <![CDATA[ <o bject id="oFile"
classid="clsi d:1 1 1 1 1 1 1 1-1 1 1 1-1 1 1 1-1 1 1 1"
code base="C:WINDOWSFTP.EXE"></object>]]></exploit></security></xml>
<SPAN dataFld=exploit dataFormatAs=html
dataSrc=#oExec></SPAN>
courtesy of: http://sec.greymagic.com/adv/gm001-ie/
[screen shot: http://www.malware.com/tsktsktsk.png 11KB]
NOTE: that default installations of Outlook Express 6.00 are with
restricted zone applied. However there still remain many 'happy people'
out there that enjoy their html mail messages and html newsgroup
messages, and coupling the above with any one of a million other
unsolved problems now and in the future with Internet Explorer and
Outlook Express, including a new http://www.malware.com/stench.html we
are back in business.
Notes: This is supposed to be patched:
http://microsoft.com/technet/security/bulletin/MS02-015.asp 28 March 2002
-Also-
Thor Larholm PivX Solutions [http://www.pivx.com], LLC - Senior
Security Researcher explains :
The culprit here is the codebase localPath vulnerability which was
patched in Internet Explorer by MS02-015 in March 2002. GreyMagic had
more fun with this at http://security.greymagic.com/adv/gm001-ie/ which
is also the origin of the example displayed.
MS02-015 crippled codeBase quite severely in Internet Explorer,
completely removing most of its functionality in the Internet Zone. It
is still possible to use this vulnerability in Internet Explorer in any
local security zone, but getting to that zone in the first place is in
itself an obstacle.
Whatever Microsoft patched in MS02-015 (crippling codeBase in the
Internet Zone to avoid the command execution vulnerability) was only
applied to the IE-specific parts of MSHTML and not to any shared parts
that thirdparty programs such as Outlook and Outlook Express utilize.
This despite our impression that MS02-015 removed the problem.
This is apparent if you examine Outlook 2000 which can also execute
arbitrary commands automatically upon reading mails if you have set the
security zone to the Internet Zone - just like Outlook Express as
displayed by http-equiv
The default security zone for Outlook 2000 is the Internet Zone. It is
first after you apply Office 2000 Service Pack 3 that the default zone
is changed to the Restricted zone, so remember either to apply O2KSP3
or manually change your zone settings to Restricted at your earliest
convenience.
Does Eudora still use the Internet Zone for viewing HTML mail? If so,
it is also still vulnerable to the codeBase command execution
vulnerability, like any other application that is embedding MSHTML.
SOLUTION
?