cbcvebase.
CVE-2010-0266
published 2010-07-15

CVE-2010-0266: Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
55.28%
98.9th percentile
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftoutlook
microsoftoutlook
microsoftoutlook

Detection & IOCsextracted from sources · hover to see the quote

filenamewinmail.dat
commandPR_ATTACH_METHOD = ATTACH_BY_REF_RESOLVE (value 3): attprops << "\x03\x00\x00\x00" # Value data ATTACH_BY_REF_RESOLVE (3)
commandPR_ATTACH_METHOD = ATTACH_BY_REF_ONLY (value 4): attprops << "\x04\x00\x00\x00" # Value data ATTACH_BY_REF_ONLY (4)
otherMESSAGECLASS: IPM.Document.txtfile
otherContent-Type: application/ms-tnef
pathfile://<host>/<path>/<random>.exe
pathfile://<host>/<path>/<random>.exe?.dat
bytes
TNEF signature: \x78\x9f\x3e\x22
bytes
TNEF attAttachRenddata fixed bytes: \x01\x00\xff\xff\xff\xff\x20\x00\x20\x00\x00\x00\x00\x00
  • Detect malicious TNEF (winmail.dat) attachments containing MAPI PR_ATTACH_METHOD property set to ATTACH_BY_REF_RESOLVE (0x03) or ATTACH_BY_REF_ONLY (0x04) with a PR_ATTACH_LONG_PATHNAME pointing to a remote UNC or file:// path ending in .exe
  • Inspect inbound email for MIME parts with Content-Type 'application/ms-tnef' and attachment name 'winmail.dat'; parse the TNEF stream for the 0x223e9f78 signature followed by attAttachment (0x9005) blocks containing PR_ATTACH_METHOD values of 3 or 4
  • Alert on WebDAV OPTIONS/PROPFIND requests to port 80 from Outlook processes (WINWORD.EXE, OUTLOOK.EXE) immediately after opening a TNEF email, as the exploit triggers the WebDAV Mini-Redirector to fetch a remote .exe payload
  • Flag TNEF attachments where PR_ATTACH_LONG_PATHNAME (MAPI property 0x370d) contains a 'file://' URI or UNC path (\\host\share\) pointing to an executable, as this is the mechanism used to redirect execution to a remote file
  • Detect TNEF streams where the displayed filename extension (PR_ATTACH_LONG_FILENAME) is a benign image type (e.g., .jpg, .png) while PR_ATTACH_LONG_PATHNAME resolves to a .exe, indicating extension spoofing
  • Monitor for MAPI message class values 'IPM.Document.txtfile' or 'IPM.Document.jpegfile' in incoming messages, which are non-standard classes used by the exploit to disguise the malicious attachment
  • ·The Metasploit exploit requires SRVPORT=80 and URIPATH=/ and cannot be changed; the WebDAV delivery mechanism only works over port 80
  • ·Exploitation is limited by the fact that attackers cannot supply command-line options to the executed file, restricting payload flexibility
  • ·The exploit is passive (user-assisted); the victim must double-click the attachment or message for code execution to occur
  • ·The ATTACH_BY_REF_ONLY variant appends '?.dat' to the remote .exe path in the pathname field, which may be used to bypass naive URL-based detections that only look for bare .exe extensions
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.