Microsoft Outlook Express XSL Style Information Execution Vulnerability

vendor:

Outlook Express

by:

SecurityFocus

7.5

CVSS

HIGH

Code Execution

CWE

Product Name: Outlook Express

Affected Version From: Outlook Express 6

Affected Version To: Outlook Express 6

Patch Exists: YES

Related CWE: CVE-2002-0647

CPE: o:microsoft:outlook_express:6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Microsoft Outlook Express XSL Style Information Execution Vulnerability

An error has been reported in Microsoft Outlook Express which may allow malicious XML file attachments to execute arbitrary code in the context of the local system. Code execution could occur when the file attachment is opened, without further prompting or user interaction. This is the result of treatment of script code included in XSL style information embedded in an XML document. Normally, XSL style information is not permitted in XML scripts executing within a restricted security zone. However, some embedded script code may still execute, despite the generation of an XML parsing error. This script code may determine the location of the Temporary Internet File (TIF) directory, which in turn can lead to the execution of arbitrary code within the Local System security zone.

Mitigation:

Users should exercise caution when opening email attachments, even from trusted sources.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5350/info

An error has been reported in Microsoft Outlook Express which may allow malicious XML file attachments to execute arbitrary code in the context of the local system. Code execution could occur when the file attachment is opened, without further prompting or user interaction.

This is the result of treatment of script code included in XSL style information embedded in an XML document. Normally, XSL style information is not permitted in XML scripts executing within a restricted security zone. However, some embedded script code may still execute, despite the generation of an XML parsing error. This script code may determine the location of the Temporary Internet File (TIF) directory, which in turn can lead to the execution of arbitrary code within the Local System security zone.

This behavior has been reported in Outlook Express 6. Other versions of Outlook may share this vulnerability, this has not however been confirmed.

<?xml version="1.0" ?>
<?xml-stylesheet type="text/css"
href="http://www.malware.com/malware.css" ?>
<malware>

<h4 style="position: absolute;top:39;left:expression(alert
(document.location));font-family:arial;font-size:12pt;BACKGROUND-
IMAGE:url('http://www.malware.com/youlickit.gif');background-
repeat:no-repeat;background-position: 100 30;z-index:-
100;height:200pt;width:400pt;font-family:Verdana;color:red">sure it
can, malware says so</h4>
</malware>