MS Outlook ATTACH_BY_REFERENCE (July 16, 2010)
Microsoft Outlook email client is an implementation of all popular email protocols such as SMTP, POP3 and IMAP, as well as Microsoft’s own proprietary standards. Attachments, rich text or HTML emails are transferred between email client and server in encoded formats in order to adhere to the 7bit character limitation. There are several methods which are used to accomplish this, one of which is a proprietary Microsoft encoding format called the Transport Neutral Encapsulation Format (TNEF). The TNEF specification encodes and encapsulates the message body in a file attachment using “winmail.dat” as its filename.
The structure of TNEF allows for pointing to other email attachments, included in the email or referred to with a URL. The URL is interpreted by Outlook and the resource is requested and subsequently handled by the system based on its type.
A design flaw exists in Microsoft Outlook when processing attachment URLs inside the mail body. The vulnerability exists in the attachment URL handling mechanism. Upon opening the attachment, the vulnerable application first attempts to confirm that the file extension is not on the black list. When the attachment body is not enclosed within the message, but rather referred to with a URL, the verification logic can be tricked to bypass that check.
If the URI referencing the attachment contains a query string, and the query string contains what may be interpreted as a file extension, then that perceived file extension is considered in the verification procedure.
It is possible to construct a specific attachment URI that Outlook will consider as safe, but upon downloading the attachment, will forward the file to the operating system for execution without blocking.
An attacker must entice the target user to open a malicious attachment using a vulnerable version of the affected product. Successful exploitation may allow the download and execution of arbitrary code with the privileges of the currently logged in user.
SonicWALL has released two IPS signatures to detect and block known existing exploits targeting this flaw. The following signatures were released to address this issue:
- 4662 – MS Outlook SMB Code Execution PoC 1 (MS10-045)
- 4664 – MS Outlook SMB Code Execution PoC 2 (MS10-045)
Mitre has assigned the ID CVE-2010-0266. The vendor has released a security advisory regarding this issue.