‘Outlook Express 6 Security Vulnerabilities’

Summary

‘Two major security vulnerabilities have been confirmed in Outlook Express version 6. One is new to this version – the ability to execute scripted code even on plain text messages, the other is an old one – concealed attachment.’

Credit:

‘The information has been provided by Caretaker.’


Details

Vulnerable systems:
Outlook Express version 6.0

Plain text message scripting execution:
This is possibly the strangest ‘innovation’ out of the manufacturer of Outlook Express to date. The ability to execute Active Scripting in a plain text mail message:

MIME-Version: 1.0
Content-Type: text/plain;
 charset=’Windows-1252′
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Source: 11.09.01 http://www.malware.com

<scr!pt>alert(‘freak’);alert(‘show’)</scr!pt>

(NOTE: The character ! should be replaced with the character i)

The above is a legitimate RFC822 mail message in plain text. Ordinarily one would require an html mail message [Content-Type: text/html;] to parse html and scripting. The above functions under a plain text mail message in Outlook Express 6.

It appears to be a very small ‘sweet spot’ about the maximum length of the above characters from each opening angle bracket to closing angle bracket. Additional tests suggest a few more characters can be ‘squeezed’ in as well as a second line below it with about half the amount of characters. Any additional will be parsed in plain text (as it should). Additionally, it appears from these testings that only the <scr!pt> tags function like this; other tags such as <!FRAME>, <OB!ECT>, etc parse correctly as plain text.

Carefully note: active scripting is off by default in OE6. The above may be of interest to SA’s who might block active content and html tags at their gateways using only the Content-Type: text/html; MIME header.

Working example [nothing but ‘plain text’]:
http://www.malware.com/malware.zip

Presence of an old vulnerability in outlook express:
You should also note with interest that a now 10-month-old vulnerability; referred to as html.dropper has been carried over to Outlook Express 6. This allows the sender of a manufactured mail message to dictate whichever icon they desire for an attachment:

Screen shot:
A screen shot is available at: http://www.malware.com/madness.jpg

The following fully functional working example is most definitely self-explanatory and includes a harmless *.exe

http://www.malware.com/bang.zip

Categories: Windows