Secure Target Network (Security Advisory October 27, 2002)
Topic: OE DBX Exposure
Discovery date: October 02, 2002
Discovered by: Kaveh Mofidi
External: Security Tracker, Bugtraq, Secunia
Affected applications and platforms:
All versions of Outlook Express on any Windows platform
Introduction
You already worked with .dbx files, storing and managing your messages under OE. A default folder takes care of them:
%windrive%\Documents and Settings\User Profile\Local Settings\Application Data\Identities\{Class ID}\Microsoft\Outlook Express
All of your messages will give named by their folders and all folders are defined at Folders.dbx file.
When you delete your messages, they move on Deleted Items.dbx (Deleted Items folder), so when you exit from OE, they must gone but this isn’t happening.
Even when you choose “Empty messages from the ‘Deleted Items’ folder on exit” they remain in both yourfolder.dbx and Deleted Items.dbx files.
Exploit
As you can probably see, this may effect in a wide range of exposure attacks; no escalation of privileges or any other system compromise directly happen. So, anybody with physical access to your computer would be the reader of your email messages and any private information there.
Workaround
Manipulating messages and folders containing them may change the way OE refresh its operations but also may lead to leaving more and more DBX files exposed. The only solution to this issue is to deleting the whole target folder.
Tested on
Outlook Express 6.0.2600.0000 on Windows XP
Outlook Express 6.0.2600.0000 and 6.0.2800.1106 on Windows 2000 SP3
Feedback
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net )
SECURE TARGET, Cyber Security Research