Bugtraq mailing list archives

SECURITY.NNOV: Outlook Express address book spoofing

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 5 Jun 2001 15:09:27 +0400

Hello bugtraq,

sorry if this is already known - the bug is trivial.

Issue                   :  Outlook  Express  address  book allows
                           messages to be intercepted by 3rd party
Date Released           :  16 March 2001
Vendor Notified         :  16 March 2001
Author                  :  3APA3A <3APA3A () security nnov ru>
Affected                :  Outlook Exress 5.5SP1 and prior
Discovered              :  18 December 2000 by 3APA3A
Remotely Exploitable    :  Yes
Vendor URL              :  http://www.microsoft.com
SECURITY.NNOV advisories:  http://www.security.nnov.ru/advisories

Description:

It's possible for remote user to cause messages written for one e-mail
address to be delivered to another e-mail address.

Details:

Outlook  Express has option "Automatically put people I reply to in my
address  book".  Then  enabled,  this  option  causes  Outlook to make
automatically  new  address  book  entries  mapping  NAME  of received
message  to  e-mail  ADDRESS. Then message is composed Outlook Express
checks address book for NAME and sets complete e-mail ADDRESS instead.

Exploitation:

Situation:  2  good  users  G1  and  G2 with addresses g1 () mail com and
g2 () mail com  and  one  bad  user B, b () mail com. Imagine B wants to get
messages G1 sends to G2. Scenario:

1. B composes message with headers:

From: "g2 () mail com" <b () mail com>
Reply-To: "g2 () mail com" <b () mail com>
To: G1 <g1 () mail com>
Subject: how to catch you on Friday?

and sends it to g1 () mail com

2.  G1  receives  mail, which looks absolutely like mail received from
g2 () mail com  and replies it. Reply will be received by B. In this case
new  entry  is  created in address book pointing NAME "g2 () mail com" to
ADDRESS b () mail com.

3.  Now,  if  while  composing  new  message  G1 directly types e-mail
address  g2 () mail com  instead  of  G2, Outlook will compose address as
"g2 () mail com" <b () mail com> and message will be received by B.

Workaround:

Disable  "Automatically  put  people  I  reply to in my address  book"
option.


Vendor:

Microsoft was contacted, accepted problem and replied it's impossible
to fix it until next IE 5.5 SP.

Solution:

No yet.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Current thread:

SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
  - Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
    - Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
    - Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
  - RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)