Suggest A Fix PC Support Forums > MS Alert: OE Will Execute Active Scripting in Plai

Full Version: MS Alert: OE Will Execute Active Scripting in Plai

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Sep 16 2001, 10:29 AM

OE Version 6.00

It is reported that Microsoft's Outlook Express will execute Active Scripting that is embedded within a plain text e-mail message. Normally, active scripting would be contained in an HTML message.
For example, the following plain text message will cause the embedded script to be execute by the recpient's mail reader:

MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Source: 11.09.01 http://www.malware.com

<script>alert("freak");a lert("show")</script>

This security implementation flaw may be of concern in networks that filter or block active content in HTML-based messages (those with Content-Type: text/html MIME headers).

It is reported that only the <script> tag will be parsed and executed and that other tags (e.g., <IFRAME>, <OBJECT>) are treated properly (as plain text).

The report notes that active scripting is not configured by default in Outlook Express 6.00.

No fix is available at this time
*******
Exploit

Microsoft Outlook Express Will Execute Active Scripting in Plain Text E-mail Messages, Circumventing Some Scripting Controls

Date: Sep 13 2001 04:06 (UTC/GMT)

Impact: Execution of arbitrary code via network, Host/resource access via network

Exploit Included: Yes

Version(s): 6.00

Description: It is reported that Microsoft's Outlook Express will execute Active Scripting that is embedded within a plain text e-mail message. Normally, active scripting would be contained in an HTML message.

For example, the following plain text message will cause the embedded script to be execute by the recpient's mail reader:

MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Source: 11.09.01 http://www.malware.com

<script>alert("freak");a lert("show")</script>

This security implementation flaw may be of concern in networks that filter or block active content in HTML-based messages (those with Content-Type: text/html MIME headers).

It is reported that only the <script> tag will be parsed and executed and that other tags (e.g., <IFRAME>, <OBJECT>) are treated properly (as plain text).

The report notes that active scripting is not configured by default in Outlook Express 6.00.

A demonstration exploit example is provided at the following URL:

http://www.malware.com/malware.zip

Impact: A remote user can craft a plain text (RFC822) e-mail message that contains malicious active scripting code that will bypass some active code filters and be executed by the recipients Outlook Express mail reader.

Solution: No solution was available at the time of this entry.

Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)

Cause: State error

Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)

Underlying OS Comments: Tested on Windows 98 and RTM Build of Windows XP

Reported By: "http-equiv@excite.com" <http-equiv@excite.com>

Message History: None.

--------------------------------------------------------------------------------

Source Message Contents

--------------------------------------------------------------------------------

Date: Wed, 12 Sep 2001 10:39:29 -0700 (PDT)
From: "http-equiv@excite.com" <http-equiv@excite.com>
Subject: FREAK SHOW: Outlook Express 6.00

Wednesday, September 12, 2001

[A] Possibly the strangest "innovation" out of the manufacturer of Outlook
Express to date. The ability to execute Active Scripting in a plain text
mail message:

MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Source: 11.09.01 http://www.malware.com

<script>alert("freak");alert("show")</script>

The above is a legitimate RFC822 mail message in plain text. Ordinarily one
would require an html mail message [Content-Type: text/html;] to parse html
and scripting. The above functions under a plain text mail message in
Outlook Express 6.00.

It appears to be a very small 'sweet spot' about the maximum length of the
above characters from each opening angle bracket to closing angle bracket.
Additional tests suggest a few more characters can be 'squeezed' in as well
as a second line below it with about half the amount of characters. Any
additional characters then parses the entire message in plain text (as it
should). Additionally, it appears from these testings that only the <script>
tags function like this; other tags <IFRAME>, <OBJECT> etc. parse correctly
as plain text.

Carefully Note: active scripting is off by default in OE6.00. The above may
be of interest to SA's who might block active content and html tags at their
gateways using only the Content-Type: text/html; MIME header.

Working Example [nothing but 'plain text']:

http://www.malware.com/malware.zip

Tested on: Windows 98 and RTM Build of Windows XP with the release version
of Outlook Express 6.00

[B] We also note with interest that a now 10 month old vulnerability;
referred to as html.dropper [see: http://www.securityfocus.com/bid/2260] has
been carried over to Outlook Express 6.00, this allows the sender of a
manufactured mail message to dictate whichever icon they desire for an
attachment:

screen shot: (screen shot: http://www.malware.com/madness.jpg 20KB)

The following fully functional working example is most definitely
self-explanatory and includes a harmless *.exe

http://www.malware.com/bang.zip

Tested on: Windows 98 and RTM Build of Windows XP with the release version
of Outlook Express 6.00

According to reliable third-party sources, the manufacturer is fully aware
of this and has been updated as recent as 10 days ago. It is understood (and
appreciated) that they are inundated with an almost daily flood of much more
severe discoveries and 'bugs' to their ever increasing avalanche of new
products, and must prioritise the 'danger' levels, but will hopefully get to
this. Certainly before they try to peddle the release versions of XP we
would hope [expect], since this new news and mail client is included with
it.

end call

---
http://www.malware.com

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.