Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1680
HistoryJun 02, 2001 - 12:00 a.m.

SECURITY.NNOV: Outlook Express address book vulnerability

2001-06-0200:00:00
vulners.com
49
JSON

Issue : Outlook Express address book allows
messages to be intercepted by 3rd party
Date Released : 16 March 2001
Vendor Notified : 16 March 2001
Author : 3APA3A <[email protected]>
Affected : Outlook Exress 5.5SP1 and prior
Discovered : 18 December 2000 by 3APA3A
Remotely Exploitable : Yes
Vendor URL : http://www.microsoft.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Description:

It's possible for remote user to cause messages written for one e-mail
address to be delivered to another e-mail address.

Details:

Outlook Express has option "Automatically put people I reply to in my
address book". Then enabled, this option causes Outlook to make
automatically new address book entries mapping NAME of received
message to e-mail ADDRESS. Then message is composed Outlook Express
checks address book for NAME and sets complete e-mail ADDRESS instead.

Exploitation:

Situation: 2 good users G1 and G2 with addresses [email protected] and
[email protected] and one bad user B, [email protected]. Imagine B wants to get
messages G1 sends to G2. Scenario:

  1. B composes message with headers:

From: "[email protected]" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
To: G1 <[email protected]>
Subject: how to catch you on Friday?

and sends it to [email protected]

  1. G1 receives mail, which looks absolutely like mail received from
    [email protected] and replies it. Reply will be received by B. In this case
    new entry is created in address book pointing NAME "[email protected]" to
    ADDRESS [email protected].

  2. Now, if while composing new message G1 directly types e-mail
    address [email protected] instead of G2, Outlook will compose address as
    "[email protected]" <[email protected]> and message will be received by B.

Workaround:

Disable "Automatically put people I reply to in my address book"
option.

Vendor:

Microsoft was contacted, accepted problem and replied it's impossible
to fix it until next IE 5.5 SP.

Solution:

No yet.

JSON