Microsoft Outlook 97/98/2000/4/5 Address Book Spoofing Vulnerability

ID EDB-ID:20899
Type exploitdb
Reporter 3APA3A
Modified 2001-06-05T00:00:00


Microsoft Outlook 97/98/2000/4/5 Address Book Spoofing Vulnerability. CVE-2001-1088. Remote exploit for windows platform


Outlook Express is the standard e-mail client that is shipped with Microsoft Windows 9x/ME/NT.

The address book in Outlook Express is normally configured to make entries for all addresses that are replied to by the user of the mail client. An attacker may construct a message header that tricks Address Book into making an entry for an untrusted user under the guise of a trusted one. This is done by sending a message with a misleading "From:" field. When the message is replied to then Address Book will make an entry which actually replies to the attacker. 

Situation: 2 good users Target1 and Target2 with addresses and and one bad user Attacker, Imagine Attacker wants to get
messages Target1 sends to Target2. Scenario:

1. Attacker composes message with headers:

From: "" <>
Reply-To: "" <>
To: Target1 <>
Subject: how to catch you on Friday?

and sends it to

2. Target1 receives mail, which looks absolutely like mail received from and replies it. Reply will be received by Attacker. In this case
new entry is created in address book pointing NAME "" to

3. Now, if while composing new message Target1 directly types e-mail
address instead of Target2, Outlook will compose address as
"" <> and message will be received by Attacker.