SECURITY.NNOV: Outlook Express address book spoofing

From: 3APA3A (3APA3Aat_private)
Date: Tue Jun 05 2001 - 04:09:27 PDT

Next message: Daniel Roethlisberger: "PassWD2000 v2.x Weak Encryption Vulnerability"

Previous message: 3APA3A: "SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Next in thread: Dan Kaminsky: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Reply: Dan Kaminsky: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Reply: Otto.Dandenellat_private: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Reply: Matt Priestley: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello bugtraq,

sorry if this is already known - the bug is trivial.

Issue                   :  Outlook  Express  address  book allows
                           messages to be intercepted by 3rd party
Date Released           :  16 March 2001
Vendor Notified         :  16 March 2001
Author                  :  3APA3A <3APA3Aat_private>
Affected                :  Outlook Exress 5.5SP1 and prior
Discovered              :  18 December 2000 by 3APA3A
Remotely Exploitable    :  Yes
Vendor URL              :  http://www.microsoft.com
SECURITY.NNOV advisories:  http://www.security.nnov.ru/advisories

Description:

It's possible for remote user to cause messages written for one e-mail
address to be delivered to another e-mail address.

Details:

Outlook  Express has option "Automatically put people I reply to in my
address  book".  Then  enabled,  this  option  causes  Outlook to make
automatically  new  address  book  entries  mapping  NAME  of received
message  to  e-mail  ADDRESS. Then message is composed Outlook Express
checks address book for NAME and sets complete e-mail ADDRESS instead.

Exploitation:

Situation:  2  good  users  G1  and  G2 with addresses g1at_private and
g2at_private  and  one  bad  user B, bat_private Imagine B wants to get
messages G1 sends to G2. Scenario:

1. B composes message with headers:

From: "g2at_private" <bat_private>
Reply-To: "g2at_private" <bat_private>
To: G1 <g1at_private>
Subject: how to catch you on Friday?

and sends it to g1at_private

2.  G1  receives  mail, which looks absolutely like mail received from
g2at_private  and replies it. Reply will be received by B. In this case
new  entry  is  created in address book pointing NAME "g2at_private" to
ADDRESS bat_private

3.  Now,  if  while  composing  new  message  G1 directly types e-mail
address  g2at_private  instead  of  G2, Outlook will compose address as
"g2at_private" <bat_private> and message will be received by B.

Workaround:

Disable  "Automatically  put  people  I  reply to in my address  book"
option.


Vendor:

Microsoft was contacted, accepted problem and replied it's impossible
to fix it until next IE 5.5 SP.

Solution:

No yet.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: Daniel Roethlisberger: "PassWD2000 v2.x Weak Encryption Vulnerability"
Previous message: 3APA3A: "SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Next in thread: Dan Kaminsky: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Reply: Dan Kaminsky: "Re: SECURITY.NNOV: Outlook Express address book spoofing"
Reply: Otto.Dandenellat_private: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Reply: Matt Priestley: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 11:55:35 PDT