Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

DoS attacks on email clients via protocol handlers
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 6 Jun 2010 01:33:31 +0300

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in email clients,
particularly in Outlook Express and Outlook. This advisory is concerned with
my series of advisories about vulnerabilities in browsers, which belong to
group of DoS via protocol handlers.

All those who doubt that these DoS vulnerabilities in browsers and email
clients are security vulnerabilities, must read my first advisory on this
topic (http://www.securityfocus.com/archive/1/511327/30/0/threaded). Where I
mentioned about Mozilla's MFSA 2010-23
(http://www.mozilla.org/security/announce/2010/mfsa2010-23.html), for which
created CVE-2010-0181
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0181). If they
consider img with mailto (via redirect) as vulnerability, then iframes with
different protocols is indeed vulnerability (in browsers and email clients).

-----------------------------
Advisory: DoS attacks on email clients via protocol handlers
-----------------------------
URL: http://websecurity.com.ua/4255/
-----------------------------
Affected products: Internet Explorer 6 (6.0.2900.2180), Outlook Express 6
and Outlook 2002 SP-2.
-----------------------------
Timeline:

26.05.2010 - found vulnerability in Internet Explorer 6 (which engine is
used in Outlook Express and Outlook).
26.05.2010 - informed Microsoft about this and others vulnerabilities in IE.
29.05.2010 - found vulnerabilities in Outlook Express and Outlook.
02.06.2010 - disclosed at my site.
-----------------------------
Details:

Last month I wrote about multiple DoS vulnerabilities in Firefox, Internet
Explorer, Chrome, Opera and other browsers via protocol handlers.

And after Vladimir Dubrovin aka 3APA3A drew my attention that these attacks
can be made via email
(http://www.securityfocus.com/archive/1/511539/30/0/threaded), I decided to
check how much email clients are vulnerable to these attacks. I.e. I checked
possibility of attacks not via webmails (which directly concerns the
mentioned vulnerabilities in browsers), but via desktop email clients. Which
are possible due to the same vulnerabilities in browsers, because email
clients often use browsers engines for showing of html-letters.

I checked these vulnerabilities in Outlook Express and Outlook, similar
attacks are potentially possible in other email clients (built-in email
client in Opera 9.52 is not affected). So all who wishes can check these
vulnerabilities in other clients, e.g. in Thunderbird and SeaMonkey.

I found Denial of Service vulnerabilities in Microsoft Outlook Express and
Outlook. Which are identical to vulnerabilities in Internet Explorer 6.
Taking into account that these email clients are using IE engine for showing
of html-letters, then these attacks are Cross-Application DoS
(http://websecurity.com.ua/2600/).

Attacks work in Outlook Express and Outlook only when option Internet zone
(OE) / Internet (Outlook) for IE security zone is selected. Taking into
account that by default Restricted sites zone is set, then all users which
are using default settings are in safe.

DoS:

http://websecurity.com.ua/uploads/2010/IE,%20OE%20&%20Outlook%20DoS%20Exploit.html

This exploit uses small amount of iframes with firefoxurl protocol and
crashes IE6, OE and Outlook.

In OE and Outlook does work attack via iframe with mailto, news, nntp and
firefoxurl protocols (and also with other protocols, if handlers of
corresponding protocols are set in the system), but doesn't work attack via
iframe with gopher protocol.

In OE these exploits trigger as at preview of the letters, as at their
opening. And in Outlook exploit with iframe with mailto triggers only at
opening of the letter, and exploits with iframe with news, nntp and
firefoxurl trigger as at preview of the letters, as at their opening.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • DoS attacks on email clients via protocol handlers MustLive (Jun 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]