- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 20899
- Проверка EDB
-
- Пройдено
- Автор
- 3APA3A
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS
- CVE
- cve-2001-1088
- Дата публикации
- 2001-06-05
Код:
source: https://www.securityfocus.com/bid/2823/info
Outlook Express is the standard e-mail client that is shipped with Microsoft Windows 9x/ME/NT.
The address book in Outlook Express is normally configured to make entries for all addresses that are replied to by the user of the mail client. An attacker may construct a message header that tricks Address Book into making an entry for an untrusted user under the guise of a trusted one. This is done by sending a message with a misleading "From:" field. When the message is replied to then Address Book will make an entry which actually replies to the attacker.
Situation: 2 good users Target1 and Target2 with addresses [email protected] and
[email protected] and one bad user Attacker, [email protected]. Imagine Attacker wants to get
messages Target1 sends to Target2. Scenario:
1. Attacker composes message with headers:
From: "[email protected]" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
To: Target1 <[email protected]>
Subject: how to catch you on Friday?
and sends it to [email protected]
2. Target1 receives mail, which looks absolutely like mail received from
[email protected] and replies it. Reply will be received by Attacker. In this case
new entry is created in address book pointing NAME "[email protected]" to
ADDRESS [email protected].
3. Now, if while composing new message Target1 directly types e-mail
address [email protected] instead of Target2, Outlook will compose address as
"[email protected]" <[email protected]> and message will be received by Attacker.- Источник
- www.exploit-db.com
