[15871] in bugtraq
Re: Buffer Overflow in MS Outlook Email Clients
daemon@ATHENA.MIT.EDU (chris.paget@ANALYSYS.COM)
Thu Jul 20 17:16:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <3975e20b.31832536@eagle.analysys.com>
Date: Wed, 19 Jul 2000 17:22:19 GMT
Reply-To: chris.paget@ANALYSYS.COM
From: chris.paget@ANALYSYS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200007180825.SAA29093@rip.rip.org>
Content-Transfer-Encoding: 8bit
I have written, but not yet released, an exploit for this
vulnerability, which I call Antibody. When emailed to a vulnerable
system, it downloads an application from the internet, and executes
it. This application does two things. Firstly, it emails the exploit
to everyone in the Outlook address book, and secondly it downloads and
installs the patch from Microsoft that fixes this issue. Thus, as the
application spreads, the number of vulnerable systems reduces
exponentially. It immunises systems against malicious exploits of
this nature - hence the name Antibody.
As a reasonable cross-section of the system administrator population,
I am wondering how the Bugtraq audience would react to the release of
such a tool? Although it spreads like a virus, and could potentially
cause service outages due to excess traffic load (both because of the
patch and because of volume of email), this will be very temporary -
once all the systems on a network have been infected, they will all
function normally and be immunised against further exploits of this
nature.
Please let me know what you think of this - if I get enough positive
responses and few threats of legal action, I may release this as an
open-source application. If so, Bugtraq will be the first to know.
Thanks,
Chris
--
Chris Paget
Software Engineer, Analysys Consulting.
chris.paget@analysys.com
mad.nutter@mindless.com
On Wed, 19 Jul 2000 20:02:27 +1000, you wrote:
>_______________________________________________________________
>
>Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients
>
>Date: 18th July 2000
>Author: Aaron Drew (mailto:ripper@wollongong.hotkey.net.au)
>Versions Affected: MS Outlook 97/2000 and MS Outlook Express 4/5
>
>_______________________________________________________________
>
>A bug in a shared component of Microsoft Outlook and Outlook Express mail
>clients can allow a remote user to write arbitrary data to the stack. This
>bug has been found to exist in all versions of MS Outlook and Outlook
>Express on both Windows 95/98 and Windows NT 4.
>
>The vulnerability lies in the parsing of the GMT section of the date field
>in the header of an email. Bound checking on the token representing the GMT
>is not properly handled. This bug can be witnessed by opening an email with
>an exceptionally long string directly preceding the GMT specification in
>the Date header field such as:
>
>Date: Fri, 13 July 2000 14:16:06 +1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>The bug lies in the shared library INETCOMM.DLL and has been successfully
>exploited on Windows 95, 98 and NT with both Outlook and Outlook Express.
>
>The execution of this code is performed differently under each client. Under
>Outlook Express, the buffer overflow occurs as soon as the user tries to
>view the mail folder containing email with a malicious date header. Under
>Microsoft Outlook, the overflow occurs when attempting to preview, read,
>reply or forward any email with a malicious date header. Under MS Outlook a
>user may delete or save an email to disk without exploitation.
>
>Whilst some mail transport systems seem to modify 8-bit header data or lines
>over 70 characters in length preventing direct exploitation, these
>restrictions seem to be avoided by encoding a message with an exploit date
>field as a MIME attachment in a Outlook's MIME attached message format.
>These messages also overflow the stack when read, previewed, replied to or
>forwarded.
>
>Microsoft was notified of this bug on July 3.
>
>Attached is a proof-of-point exploit that, when placed in the header
>field of a message or MIME attached message, will download and execute
>an executable from the web. (In this particular case it will launch MS Freecell)
>
>_______________________________________________________________
>
>DISCLAIMER
>
>The information within this document may change without notice. Use of
>this information constitutes acceptance for use in an AS IS
>condition. There are NO warranties with regard to this information.
>In no event shall the author be liable for any consequences whatsoever
>arising out of or in connection with the use or spread of this
>information. Any use of this information lays within the user's
>responsibility.
>
>_______________________________________________________________
