Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

FREAK SHOW: Outlook Express 6.00

From: "http-equiv () excite com" <http-equiv () excite com>
Date: Wed, 12 Sep 2001 10:39:29 -0700 (PDT)
Wednesday, September 12, 2001

[A] Possibly the strangest "innovation" out of the manufacturer of Outlook
Express to date. The ability to execute Active Scripting in a plain text
mail message:

MIME-Version: 1.0
Content-Type: text/plain;
 charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Source: 11.09.01  http://www.malware.com

<script>alert("freak");alert("show")</script>

The above is a legitimate RFC822 mail message in plain text. Ordinarily one
would require an html mail message [Content-Type: text/html;] to parse html
and scripting. The above functions under a plain text mail message in
Outlook Express 6.00.

It appears to be a very small 'sweet spot' about the maximum length of the
above characters from each opening angle bracket to closing angle bracket.
Additional tests suggest a few more characters can be 'squeezed' in as well
as a second line below it with about half the amount of characters. Any
additional characters then parses the entire message in plain text (as it
should). Additionally, it appears from these testings that only the <script>
tags function like this; other tags <IFRAME>, <OBJECT> etc. parse correctly
as plain text.

Carefully Note: active scripting is off by default in OE6.00. The above may
be of interest to SA's who might block active content and html tags at their
gateways using only the Content-Type: text/html; MIME header.

Working Example [nothing but 'plain text']:

http://www.malware.com/malware.zip

Tested on: Windows 98 and RTM Build of Windows XP with the release version
of Outlook Express 6.00


[B] We also note with interest that a now 10 month old vulnerability;
referred to as html.dropper [see: http://www.securityfocus.com/bid/2260] has
been carried over to Outlook Express 6.00, this allows the sender of a
manufactured mail message to dictate whichever icon they desire for an
attachment:

screen shot: (screen shot: http://www.malware.com/madness.jpg 20KB) 

The following fully functional working example is most definitely
self-explanatory and includes a harmless *.exe

http://www.malware.com/bang.zip

Tested on: Windows 98 and RTM Build of Windows XP with the release version
of Outlook Express 6.00

According to reliable third-party sources, the manufacturer is fully aware
of this and has been updated as recent as 10 days ago. It is understood (and
appreciated) that they are inundated with an almost daily flood of much more
severe discoveries and 'bugs' to their ever increasing avalanche of new
products, and must prioritise the 'danger' levels, but will hopefully get to
this. Certainly before they try to peddle the release versions of XP we
would hope [expect], since this new news and mail client is included with
it.

 
end call


---
http://www.malware.com





_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
Previous By Date Next
Previous By Thread Next

Current thread: