[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Outlook Mailto URL:vulnerabilty



In-Reply-To: <BAY13-F65PU2pnUgrMb0003f3db@xxxxxxxxxxx>

Clancy,

  I unerstand your problem, I've been working on building a proof of concept for our pen test scripts, but havn't had any luck with it yet. I talked to the developer of the original proof of concept, he's only gotton it working on windows 98 with outlook express. I'll keep you updated if I find anything.

Seamus


>Received: (qmail 14349 invoked from network); 2 Apr 2004 17:28:37 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 2 Apr 2004 17:28:37 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 25F65900E7; Fri,  2 Apr 2004 05:30:16 -0700 (MST)
>Mailing-List: contact vuln-dev-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <vuln-dev.list-id.securityfocus.com>
>List-Post: <mailto:vuln-dev@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:vuln-dev-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:vuln-dev-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:vuln-dev-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list vuln-dev@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for vuln-dev@xxxxxxxxxxxxxxxxx
>Received: (qmail 29964 invoked from network); 2 Apr 2004 08:08:23 -0000
>X-Originating-IP: [216.73.159.62]
>X-Originating-Email: [clancy_carlson@xxxxxxxxxxx]
>X-Sender: clancy_carlson@xxxxxxxxxxx
>From: "clancy carlson" <clancy_carlson@xxxxxxxxxxx>
>To: vuln-dev@xxxxxxxxxxxxxxxxx
>Subject: Outlook Mailto URL:vulnerabilty
>Date: Fri, 02 Apr 2004 09:17:45 -0500
>Mime-Version: 1.0
>Content-Type: text/plain; format=flowed
>Message-ID: <BAY13-F65PU2pnUgrMb0003f3db@xxxxxxxxxxx>
>X-OriginalArrivalTime: 02 Apr 2004 14:17:45.0400 (UTC) FILETIME=[44B7D380:01C418BD]
>
>All,
>I have been trying to write an exploit for the Outlook Mailto URL 
>vulnerability, but have been unsuccesfull up to this point.  I have tried on 
>both and windows 2000 and windows XP machine using Outlook 2002.  All of the 
>proof of concept codes and other documentation does not seemt o work.
>I consistently receive an error of invalid switch parameter when attempting 
>to use<html>
>
><body>
><!-- This is the exploit string. -->
><img src="mailto:aa&quot; /select
>javascript:alert('vulnerable')">
></body>
></html>
>
>utlilizing the select switch consistently produces the same error.  There 
>does not seem to be a way to get Outlook to receive the proper command 
>string.   Is this potential vulnerabiity exploitable?  Does anyone have any 
>suggestions on how to move forward?
>
>thanks,
>
>Clancy
>
>_________________________________________________________________
>Persistent heartburn? Check out Digestive Health & Wellness for information 
>and advice. http://gerd.msn.com/default.asp
>
>