Exchange & Outlook client extensions problem

Summary
Description:Anyone can register "extensions" to Exchange Client or Outlook which cause evil things to happen for various events. Typical idiotic Microsoft bug.
Author:Martin Stanek <stanek@DCS.FMPH.UNIBA.SK>
Compromise:Steal mail, cause users to run malicious code, etc.
Vulnerable Systems:Microsoft systems where multiple users run Outlook or Exchange client
Date:9 November 1997
Details


Date: Sun, 9 Nov 1997 12:30:50 +0100
From: Martin Stanek <stanek@DCS.FMPH.UNIBA.SK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Is this a security bug or feature?

I don't know whether this is an old "issue", or new one.
Almost everywhere, people are using Exchange Client
or Outlook to manage their e-mail messages.
It possible for everybody to add an extension to this
program. Extensions are called in various contexts:
  sending, receiving or viewing messages,
  beginning of the session, etc...
Once registered, it's valid (active) for everyone,
who use Outlook or Exchange Client on affected
computer. The extension is not limited only to e-mail
specific tasks - but it can do everything what it
want - and: with permissions of current user.

Extensions are registered in Registry in subkey
HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions\

This key has Special Access for Everyone:
        Query value
        Set value
        Create Subkey
        Enumerate Subkeys
        Notify
        Delete
        Read Control

Possible scenarios are left for your imagination...

Experimental source code for "stealing" e-mail messages
is available on request.

Martin Stanek
stanek@dcs.fmph.uniba.sk

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault