Microsoft Outlook Mailto参数引用域绕过漏洞
受影响系统:
Microsoft Office XP SP2
Microsoft Office XP SP1
Microsoft Office XP
Microsoft Office 2002 SP2
Microsoft Office 2002 SP1
Microsoft Office 2002
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
不受影响系统:
Microsoft Office XP SP3
Microsoft Office 2002 SP3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9827
CVE(CAN) ID: CAN-2004-0121
Microsoft Outlook是流行的邮件客户端。
Microsoft Outlook在处理mailto URL参数时存在问题,远程攻击者可以利用这个漏洞使IE在本地电脑域中执行任意脚本代码。
Microsoft Outlook是一个集中EMAIL消息,联系人,提醒服务等应用程序的系统。在outlook安装时,mailto: URL处理器会注册在系统中,当 mailto: URL打开时,系统就以下面参数启动OUTLOOK.EXE:
OUTLOOK.EXE -c IPM.Note /m "mailto:email@address"
如果URL包含引用符号,额外的命令行参数就可以注入到OUTLOOK.EXE中,而且由Outlook打开的启动URL也可以由命令行提供,这个URL可以是一个javascript: URL,如果在outtlook中"Outlook today"页当前被查看,脚本代码将以本地电脑安全域上下文执行,这可导致攻击者下载和启动一个恶意程序。
攻击者可以利用恶意WEB页和HTML形式EMAIL来触发此漏洞。
如果"Outlook today"功能在outlook中不是默认查看器,攻击者可以通过使用两个mailto: URLs来触发,如第一个mailto: URL启动OUTLOOK.EXE和使其使用"Outlook today",然后提供另一个mailto: URL来启动恶意脚本。
<*来源:Jouko Pynn?nen. (jouko@iki.fi)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107893704602842&w=2
http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Jouko Pynn?nen. (jouko@iki.fi)提供了如下测试方法:
<!-- Outlook mailto: URL argument injection
proof-of-concept exploit,
by shaun2k2. The exploit can be easily modified
to execute more
malicious things.
-->
<html>
<body>
<!-- This is the exploit string. -->
<img src="mailto:aa" /select
javascript:alert('vulnerable')">
</body>
</html>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS04-009)以及相应补丁:
MS04-009:Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
链接:http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
补丁下载:
Microsoft Office XP SP2:
Microsoft Patch MS04-009 Office XP SP2 Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en
Microsoft Upgrade Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en
Microsoft Outlook 2002 SP2:
Microsoft Patch MS04-009 Outlook SP2 Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en
Microsoft Upgrade Outlook 2002 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en
Microsoft Office XP SP1:
Microsoft Upgrade Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en
Microsoft Outlook 2002 SP1:
Microsoft Upgrade Outlook 2002 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en
Microsoft Office XP :
Microsoft Upgrade Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en
Microsoft Outlook 2002 :
Microsoft Upgrade Outlook 2002 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en