CVE-2004-0121
CVSS7.5
发布时间 :2004-04-15 00:00:00
修订时间 :2016-10-17 22:41:02
NMCOES    

[原文]Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.


[CNNVD]Microsoft Outlook Mailto参数引用域绕过漏洞(MS04-009)(CNNVD-200404-053)

        
        Microsoft Outlook是流行的邮件客户端。
        Microsoft Outlook在处理mailto URL参数时存在问题,远程攻击者可以利用这个漏洞使IE在本地电脑域中执行任意脚本代码。
        Microsoft Outlook是一个集中EMAIL消息,联系人,提醒服务等应用程序的系统。在outlook安装时,mailto: URL处理器会注册在系统中,当 mailto: URL打开时,系统就以下面参数启动OUTLOOK.EXE:
         OUTLOOK.EXE -c IPM.Note /m "mailto:email@address"
        如果URL包含引用符号,额外的命令行参数就可以注入到OUTLOOK.EXE中,而且由Outlook打开的启动URL也可以由命令行提供,这个URL可以是一个javascript: URL,如果在outtlook中"Outlook today"页当前被查看,脚本代码将以本地电脑安全域上下文执行,这可导致攻击者下载和启动一个恶意程序。
        攻击者可以利用恶意WEB页和HTML形式EMAIL来触发此漏洞。
        如果"Outlook today"功能在outlook中不是默认查看器,攻击者可以通过使用两个mailto: URLs来触发,如第一个mailto: URL启动OUTLOOK.EXE和使其使用"Outlook today",然后提供另一个mailto: URL来启动恶意脚本。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:office:xpMicrosoft Office XP
cpe:/a:microsoft:outlook:2002Microsoft Outlook 2002
cpe:/a:microsoft:office:xp:sp2Microsoft Office XP sp2
cpe:/a:microsoft:outlook:2002:sp2Microsoft Outlook 2002 sp2
cpe:/a:microsoft:office:xp:sp1Microsoft Office XP sp1
cpe:/a:microsoft:outlook:2002:sp1Microsoft Outlook 2002 sp1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:843MS Outlook Argument Injection Local Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0121
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0121
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200404-053
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107893704602842&w=2
(UNKNOWN)  BUGTRAQ  20040310 Outlook mailto: URL argument injection vulnerability
http://www.ciac.org/ciac/bulletins/o-096.shtml
(UNKNOWN)  CIAC  O-096
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20040309 Microsoft Outlook "mailto:" Parameter Passing Vulnerability
http://www.kb.cert.org/vuls/id/305206
(UNKNOWN)  CERT-VN  VU#305206
http://www.microsoft.com/technet/security/bulletin/ms04-009.asp
(VENDOR_ADVISORY)  MS  MS04-009
http://www.securityfocus.com/bid/9827
(VENDOR_ADVISORY)  BID  9827
http://www.us-cert.gov/cas/techalerts/TA04-070A.html
(UNKNOWN)  CERT  TA04-070A
http://xforce.iss.net/xforce/xfdb/15414
(UNKNOWN)  XF  outlook-mailtourl-execute-code(15414)
http://xforce.iss.net/xforce/xfdb/15429
(UNKNOWN)  XF  outlook-ms04009-patch(15429)

- 漏洞信息

Microsoft Outlook Mailto参数引用域绕过漏洞(MS04-009)
高危 设计错误
2004-04-15 00:00:00 2005-05-18 00:00:00
远程  
        
        Microsoft Outlook是流行的邮件客户端。
        Microsoft Outlook在处理mailto URL参数时存在问题,远程攻击者可以利用这个漏洞使IE在本地电脑域中执行任意脚本代码。
        Microsoft Outlook是一个集中EMAIL消息,联系人,提醒服务等应用程序的系统。在outlook安装时,mailto: URL处理器会注册在系统中,当 mailto: URL打开时,系统就以下面参数启动OUTLOOK.EXE:
         OUTLOOK.EXE -c IPM.Note /m "mailto:email@address"
        如果URL包含引用符号,额外的命令行参数就可以注入到OUTLOOK.EXE中,而且由Outlook打开的启动URL也可以由命令行提供,这个URL可以是一个javascript: URL,如果在outtlook中"Outlook today"页当前被查看,脚本代码将以本地电脑安全域上下文执行,这可导致攻击者下载和启动一个恶意程序。
        攻击者可以利用恶意WEB页和HTML形式EMAIL来触发此漏洞。
        如果"Outlook today"功能在outlook中不是默认查看器,攻击者可以通过使用两个mailto: URLs来触发,如第一个mailto: URL启动OUTLOOK.EXE和使其使用"Outlook today",然后提供另一个mailto: URL来启动恶意脚本。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-009)以及相应补丁:
        MS04-009:Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
        链接:
        http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

        补丁下载:
        Microsoft Office XP SP2:
        Microsoft Patch MS04-009 Office XP SP2 Update
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

        Microsoft Upgrade Office XP Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

        Microsoft Outlook 2002 SP2:
        Microsoft Patch MS04-009 Outlook SP2 Update
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=52F1A951-24DB-44A5-9475-EA5D302BCA6A&displaylang=en

        Microsoft Upgrade Outlook 2002 Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

        Microsoft Office XP SP1:
        Microsoft Upgrade Office XP Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

        Microsoft Outlook 2002 SP1:
        Microsoft Upgrade Outlook 2002 Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

        Microsoft Office XP :
        Microsoft Upgrade Office XP Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

        Microsoft Outlook 2002 :
        Microsoft Upgrade Outlook 2002 Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=85AF7BFD-6F69-4289-8BD1-EB966BCDFB5E&displaylang=en

- 漏洞信息 (23796)

Microsoft Outlook 2002 Mailto Parameter Quoting Zone Bypass Vulnerability (EDBID:23796)
windows remote
2004-03-09 Verified
0 shaun2k2
N/A [点击下载]
source: http://www.securityfocus.com/bid/9827/info

Microsoft Outlook is prone to a vulnerability that may permit execution of arbitrary code on client systems. This issue is exposed through Outlook, but will reportedly cause Internet Explorer to load malicious content in the Local Zone.

This is related to how mailto URIs are handled by the software and may be exploited from a malicious web page or through HTML e-mail. This issue will permit a remote attacker to influence how Outlook invoked via mailto URIs, allowing for execution of malicious scripting in the Local Zone through an attacker-specified Outlook profile parameter.

** It was initially reported that exploitation of this issue will depend on the Outlook Today page being the default folder homepage. Additional details have been made available to indicate that in situations where this is not the default page, it is possible to use two mailto URIs to exploit the issue. The first URI would display the Outlook Today view and the second would include an embedded JavaScript URI.


<!-- Outlook mailto: URL argument injection
proof-of-concept exploit,
     by shaun2k2.  The exploit can be easily modified
to execute more
     malicious things.
-->

<html>
<body>
<!-- This is the exploit string. -->
<img src="mailto:aa" /select
javascript:alert('vulnerable')">
</body>
</html>

		

- 漏洞信息

4168
Microsoft Outlook 2002 mailto URI Script Injection
Remote / Network Access
Loss of Integrity Patch / RCS
Exploit Private Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2004-03-09 Unknow
Unknow 2004-03-09

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Outlook Mailto Parameter Quoting Zone Bypass Vulnerability
Design Error 9827
Yes No
2004-03-09 12:00:00 2009-07-12 03:06:00
Discovery of this issue is credited to Jouko Pynnönen.

- 受影响的程序版本

Microsoft Outlook 2002 SP2
+ Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2002 SP1
+ Microsoft Office XP SP1
+ Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Outlook 2002 0
+ Microsoft Office XP
+ Microsoft Office XP
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Outlook 2002 SP3
+ Microsoft Office XP SP3
+ Microsoft Office XP SP3
Microsoft Office XP SP3
+ Microsoft Excel 2002 SP3
+ Microsoft Excel 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Publisher 2002 SP3

- 不受影响的程序版本

Microsoft Outlook 2002 SP3
+ Microsoft Office XP SP3
+ Microsoft Office XP SP3
Microsoft Office XP SP3
+ Microsoft Excel 2002 SP3
+ Microsoft Excel 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Publisher 2002 SP3

- 漏洞讨论

Microsoft Outlook is prone to a vulnerability that may permit execution of arbitrary code on client systems. This issue is exposed through Outlook, but will reportedly cause Internet Explorer to load malicious content in the Local Zone.

This is related to how mailto URIs are handled by the software and may be exploited from a malicious web page or through HTML e-mail. This issue will permit a remote attacker to influence how Outlook invoked via mailto URIs, allowing for execution of malicious scripting in the Local Zone through an attacker-specified Outlook profile parameter.

** It was initially reported that exploitation of this issue will depend on the Outlook Today page being the default folder homepage. Additional details have been made available to indicate that in situations where this is not the default page, it is possible to use two mailto URIs to exploit the issue. The first URI would display the Outlook Today view and the second would include an embedded JavaScript URI.

- 漏洞利用

It is possible to influence Outlook invocation parameters by including a '&amp;quot;' string in the mailto URI.

The following proof of concept is available:

- 解决方案

Microsoft has released a security bulletin (MS04-009) and patches for Outlook 2002 and Office XP (which includes the vulnerable component).

This issue has also been addressed in Outlook 2002 SP3 and Office XP SP3. Users are advised to upgrade.


Microsoft Office XP SP1

Microsoft Office XP

Microsoft Office XP SP2

Microsoft Outlook 2002 0

Microsoft Outlook 2002 SP2

Microsoft Outlook 2002 SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站