Hello bugtraq, sorry if this is already known - the bug is trivial. Issue : Outlook Express address book allows messages to be intercepted by 3rd party Date Released : 16 March 2001 Vendor Notified : 16 March 2001 Author : 3APA3A <3APA3Aat_private> Affected : Outlook Exress 5.5SP1 and prior Discovered : 18 December 2000 by 3APA3A Remotely Exploitable : Yes Vendor URL : http://www.microsoft.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories Description: It's possible for remote user to cause messages written for one e-mail address to be delivered to another e-mail address. Details: Outlook Express has option "Automatically put people I reply to in my address book". Then enabled, this option causes Outlook to make automatically new address book entries mapping NAME of received message to e-mail ADDRESS. Then message is composed Outlook Express checks address book for NAME and sets complete e-mail ADDRESS instead. Exploitation: Situation: 2 good users G1 and G2 with addresses g1at_private and g2at_private and one bad user B, bat_private Imagine B wants to get messages G1 sends to G2. Scenario: 1. B composes message with headers: From: "g2at_private" <bat_private> Reply-To: "g2at_private" <bat_private> To: G1 <g1at_private> Subject: how to catch you on Friday? and sends it to g1at_private 2. G1 receives mail, which looks absolutely like mail received from g2at_private and replies it. Reply will be received by B. In this case new entry is created in address book pointing NAME "g2at_private" to ADDRESS bat_private 3. Now, if while composing new message G1 directly types e-mail address g2at_private instead of G2, Outlook will compose address as "g2at_private" <bat_private> and message will be received by B. Workaround: Disable "Automatically put people I reply to in my address book" option. Vendor: Microsoft was contacted, accepted problem and replied it's impossible to fix it until next IE 5.5 SP. Solution: No yet. -- http://www.security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 11:55:35 PDT