#Exploit Author : Rahul Pratap Singh

#Home page Link : http://www.outlook.com

#Website : 0x62626262.wordpress.com

#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94

#Date : 12/11/2016

—————————————-

Description:

—————————————-

Microsoft Outlook Mail Server was not able to handle image of 1×1 pixel and behaving aberrantly.

—————————————-

Impact:

—————————————-

Send an email from an outlook email id to another outlook user. It will flood the inbox within 24hrs i.e approx. 2400 emails will get received by the user.

—————————————-

POC:

—————————————-



Vulnerability Disclosure Timeline:

→ April 09, 2015 – Bug discovered, initial report to Microsoft Security Team.

→ April 10, 2015 – Response from Microsoft, report sent for investigation.

→ April 11, 2015 – Response from Microsoft, Problem in reproducing the issue.

→ April 14, 2015 – POC video is sent.

→ April 14, 2015 – Response from Microsoft, poc video sent to analyst for investigation.

→ April 15, 2015 – Response from Microsoft, a case number is assigned to this report.

→ June 06, 2015 – Response from Microsoft, a patch has been deployed, and Hall of Fame awarded.

→ March 11, 2016 – Bug still exist, Sent report again to Microsoft Security Team.

→ March 11, 2016 – Response from Microsoft, a case number is assigned to this report.

→ May 11, 2016 – Response from Microsoft, a patch has been deployed, and Hall of Fame awarded.

→ Sept 13, 2016 – Bug still exist, Sent report again to Microsoft Security Team.

→ Sept 14, 2016 – Response from Microsoft, this is an old issue which I reported. He suggested sending an email on that specific case thread to let the case manager know.

→ Sept 14, 2016 – Told MSRC, when I found this bug (2015), and How it was handled by different MSRC’s, and still bug exist. Submitting this report 3rd time.

→ Sept 15, 2016 – Response from Microsoft, little appreciation. Report sent to MSRC enginner to review.

→ Sept 15, 2016 – Response from Microsoft, Problem in reproducing the issue.

→ Sept 15, 2016 – New POC video is sent.

→ Nov 11, 2016 – Response from Microsoft, a patch has been deployed, and Hall of Fame awarded.

→ Nov 12, 2016 – Full Disclosure