source: http://www.securityfocus.com/bid/2823/info Outlook Express is the standard e-mail client that is shipped with Microsoft Windows 9x/ME/NT. The address book in Outlook Express is normally configured to make entries for all addresses that are replied to by the user of the mail client. An attacker may construct a message header that tricks Address Book into making an entry for an untrusted user under the guise of a trusted one. This is done by sending a message with a misleading "From:" field. When the message is replied to then Address Book will make an entry which actually replies to the attacker. Situation: 2 good users Target1 and Target2 with addresses firstname.lastname@example.org and email@example.com and one bad user Attacker, firstname.lastname@example.org. Imagine Attacker wants to get messages Target1 sends to Target2. Scenario: 1. Attacker composes message with headers: From: "email@example.com" <firstname.lastname@example.org> Reply-To: "email@example.com" <firstname.lastname@example.org> To: Target1 <email@example.com> Subject: how to catch you on Friday? and sends it to firstname.lastname@example.org 2. Target1 receives mail, which looks absolutely like mail received from email@example.com and replies it. Reply will be received by Attacker. In this case new entry is created in address book pointing NAME "firstname.lastname@example.org" to ADDRESS email@example.com. 3. Now, if while composing new message Target1 directly types e-mail address firstname.lastname@example.org instead of Target2, Outlook will compose address as "email@example.com" <firstname.lastname@example.org> and message will be received by Attacker.
Related ExploitsTrying to match CVEs (1): CVE-2001-1088
Trying to match OSVDBs (1): 1852
Other Possible E-DB Search Terms: Microsoft Outlook 97/98/2000/4/5, Microsoft Outlook 97, Microsoft Outlook