Windows Live Mail 2011 runs rogue C:\Program.exe when opening associated URLs

2014.08.17
Credit: Stefan Kanthak
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, the following command lines associated with the URL protocols of Windows Live Mail 2011 (15.4.3538.513) WLMail.Url.Mailto=C:\Program Files (x86)\Windows Live\Mail\wlmail.exe /mailurl:"%1" WLMail.Url.news=C:\Program Files (x86)\Windows Live\Mail\wlmail.exe /newsurl:"%1" WLMail.Url.nntp=C:\Program Files (x86)\Windows Live\Mail\wlmail.exe /newsurl:"%1" WLMail.Url.snews=C:\Program Files (x86)\Windows Live\Mail\wlmail.exe /newsurl:"%1" execute the rogue programs "C:\Program.exe", "C:\Program Files\Windows.exe" (on x86) resp. "C:\Program Files.exe" or "C:\Program Files (x86)\Windows.exe" (on x64) with the credentials of the user whenever the user opens one of the associated URLs. From <http://msdn.microsoft.com/library/cc144175.aspx> or <http://msdn.microsoft.com/library/cc144101.aspx>: | Note: If any element of the command string contains or might contain ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | spaces, it must be enclosed in quotation marks. Otherwise, if the ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | element contains a space, it will not parse correctly. For instance, | "My Program.exe" starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. Since every user account created during Windows setup has administrative rights every user owning such an account can create the rogue program(s), resulting in a privilege escalation. JFTR: no, the "user account control" is not a security boundary! From <http://support.microsoft.com/kb/2526083>: | Same-desktop Elevation in UAC is not a security boundary and can be hijacked | by unprivileged software that runs on the same desktop. Same-desktop | Elevation should be considered a convenience feature, and from a security | perspective, "Protected Administrator" should be considered the equivalent | of "Administrator." JFTR: if you or your customers, family etc. still use Windows Live Mail 2011, see <https://technet.microsoft.com/library/security/ms13-045> and upgrade to Windows Live Mail 2012 ASAP! regards Stefan Kanthak PS: the associations for .eml and .nws DONT show this beginners error: WindowsLiveMail.Email.1="C:\Program Files (x86)\Windows Live\Mail\wlmail.exe" /eml:%1 WindowsLiveMail.News.1="C:\Program Files (x86)\Windows Live\Mail\wlmail.exe" /nws:%1 Unfortunately their argument %1 is not quoted, see above!

References:

http://seclists.org/fulldisclosure/2014/Aug/43
https://technet.microsoft.com/library/security/ms13-045
http://support.microsoft.com/kb/2526083


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top