Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23984
HistoryJun 07, 2010 - 12:00 a.m.

DoS attacks on email clients via protocol handlers

2010-06-0700:00:00
vulners.com
14
JSON

Hello 3APA3A!

I want to warn you about security vulnerabilities in email clients,
particularly in Outlook Express and Outlook. This advisory is concerned with
my series of advisories about vulnerabilities in browsers, which belong to
group of DoS via protocol handlers.

Advisory: DoS attacks on email clients via protocol handlers

URL: http://websecurity.com.ua/4255/

Affected products: Internet Explorer 6 (6.0.2900.2180), Outlook Express 6
and Outlook 2002 SP-2.

Timeline:

26.05.2010 - found vulnerability in Internet Explorer 6 (which engine is
used in Outlook Express and Outlook).
26.05.2010 - informed Microsoft about this and others vulnerabilities in IE.
29.05.2010 - found vulnerabilities in Outlook Express and Outlook.
02.06.2010 - disclosed at my site.

Details:

Last month I wrote about multiple DoS vulnerabilities in Firefox, Internet
Explorer, Chrome, Opera and other browsers via protocol handlers.

And after Vladimir Dubrovin aka 3APA3A drew my attention that these attacks
can be made via emal
(http://www.securityfocus.com/archive/1/511539/30/0/threaded), I decided to
check how much email clients are vulnerable to these attacks. I.e. I checked
possibility of attacks not via webmails (which directly concerns the
mentioned vulnerabilities in browsers), but via desktop email clients. Which
are possible due to the same vulnerabilities in browsers, because email
clients often use browsers engines for showing of html-letters.

I checked these vulnerabilities in Outlook Express and Outlook, similar
attacks are potentially possible in other email clients (built-in email
client in Opera 9.52 is not affected). So all who wishes can check these
vulnerabilities in other clients, e.g. in Thunderbird and SeaMonkey.

I found Denial of Service vulnerabilities in Microsoft Outlook Express and
Outlook. Which are identical to vulnerabilities in Internet Explorer 6.
Taking into account that these email clients are using IE engine for showing
of html-letters, then these attacks are Cross-Application DoS
(http://websecurity.com.ua/2600/).

Attacks work in Outlook Express and Outlook only when option Internet zone
(OE) / Internet (Outlook) for IE security zone is selected. Taking into
account that by default Restricted sites zone is set, then all users which
are using default settings are in safe.

DoS:

http://websecurity.com.ua/uploads/2010/IE,%20OE%20&%20Outlook%20DoS%20Exploit.html

This exploit uses small amount of iframes with firefoxurl protocol and
crashes IE6, OE and Outlook.

In OE and Outlook does work attack via iframe with mailto, news, nntp and
firefoxurl protocols (and also with other protocols, if handlers of
corresponding protocols are set in the system), but doesn't work attack via
iframe with gopher protocol.

In OE these exploits trigger as at preview of the letters, as at their
opening. And in Outlook exploit with iframe with mailto triggers only at
opening of the letter, and exploits with iframe with news, nntp and
firefoxurl trigger as at preview of the letters, as at their opening.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON