Bugtraq mailing list archives

Outlook winmail.dat

From: Bryce Walter <brycewalter () HOTMAIL COM>
Date: Thu, 24 Aug 2000 20:36:40 GMT

When a message is sent from Outlook in RTF format, Outlook attaches a file
named winmail.dat.  This file is used for transmitting the RTF-specific
formatting information.  If the recipient opens the email in Outlook they
will not see the attachment.  Additionally, default behaviour of Exchange
Server 5.5 appears to strip the attachment from messages going to recipients
external to the orginization.

In the situation of an Outlook user with a POP3/SMTP account (such as their
ISP) sending a message to someone who uses an email client other than
Outlook (a Hotmail account for example) the recipient will see winmail.dat
listed as an attachment.  Upon opening winmail.dat with a text viewer you
can clearly make out a line that contains the full path to the .pst location
on the sender's hard drive.  Since this is located by default in the users
profile directory, you can see the sender's NT account name as well as the
domain name.

The attachment of winmail.dat in Outlook RTF emails is documented in MS KB
articles.  They detail how to prevent the attachment of winmail.dat
(configure the removal at the Exchange Server level, or don't use RTF
formatting in your Outlook client).  However they do not document what is
contained in winmail.dat.  Upon contacting secure@microsoft about this (4
months ago) I was informed a KB article detailing the contents of
winmail.dat would be forthcoming (I cannot yet locate anything on their
site).

This behaviour was seen in Outlook 2000.  I have not tested previous
versions of Outlook, but judging by the KB articles, previous versions of
Outlook have the exact same behaviour in regards to winmail.dat as Outlook
2000.

As a side note it would be an interesting excercise to see if Outlook is
susceptible to a message with a malformed winmail.dat attached.  One could
theoretically use winmail.dat to hit on holes in either Outlook itself, or
the Outlook RTF engine (Outlook does not use the same RTF engine as
Wordpad).

regards,
Bryce
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Current thread:

Outlook winmail.dat Bryce Walter (Aug 24)
- Re: Outlook winmail.dat Signal 11 (Aug 25)
  - xchat Joseph Nicholas Yarbrough (Aug 28)
- Re: Outlook winmail.dat John D. Hardin (Aug 25)