[16385] in bugtraq
Re: Outlook winmail.dat
daemon@ATHENA.MIT.EDU (Signal 11)
Fri Aug 25 14:02:25 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <NEBBKPCNALMEJENIHFBIIECPCAAA.signal11@mediaone.net>
Date: Thu, 24 Aug 2000 23:06:27 -0500
Reply-To: Signal 11 <signal11@MEDIAONE.NET>
From: Signal 11 <signal11@MEDIAONE.NET>
X-To: Bryce Walter <brycewalter@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <LAW2-F305bYiMCIqtQv0000069d@hotmail.com>
> formatting in your Outlook client). However they do not document what is
> contained in winmail.dat. Upon contacting secure@microsoft about this (4
> months ago) I was informed a KB article detailing the contents of
> winmail.dat would be forthcoming (I cannot yet locate anything on their
> site).
Yes, that KB article is on display on the bottom of a locked filing
cabinet stuck in a disused lavatory with a sign on the door saying
'Beware of the Leopard.' In other words, no such article exists.
> As a side note it would be an interesting excercise to see if Outlook is
> susceptible to a message with a malformed winmail.dat attached. One could
> theoretically use winmail.dat to hit on holes in either Outlook itself, or
> the Outlook RTF engine (Outlook does not use the same RTF engine as
> Wordpad).
My mail is sent via SMTP to a server in my domain (the server is Qmail's
SMTP daemon) and then fed back to me over imapv4, the file appears as
an attachment. The outlook client makes no attempt to interpret the file,
and I can even save it to the desktop. It would be difficult to exploit
something that Outlook does not process. I have Outlook 2000 as well
(see message headers for the version), and was not able to reproduce
this.
~ Signal 11
