Bugtraq mailing list archives
Re: Buffer Overflow in MS Outlook Email Clients
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Fri, 21 Jul 2000 10:57:38 -0700
There were so many responces to this thread I am summarizing them all into a single message. Please keep in mind that just because I allow something on the list does not mean I approve of it. Personally I think this is a bad idea for all the reasons I have in my reply to SANS message and more. Nonetheless its technically interesting and I wanted to know your opinion. -------------------------------------------------------------------------- Chris Paget <chris.paget () analysys com> After several beers and a lot of emails (around a hundred so far, and still counting), I have decided not to release this. Quite honesltly, I just don't have the balls for all the lawsuits. In its curent form, Antibody will never be released. To anyone. Don't bother asking. However, it is only a matter of time before *someone* releases something like this - it's the only way that the good guys can even compete on a level field with the virus writers and hackers. I may later release a more "user-friendly" and polite version of Antibody - one that asks before it does anything. However, I'm not even sure if that is a good idea, so it will probably just get deleted. Thanks for all the replies, -------------------------------------------------------------------------- Robert Harvey <RobertH () PredictPoint com> I have to say that find these approaches highly disturbing. This "Antibody" IS a virus, whether it's intent is harmful or benign. Releasing this in your described manner is, in my opinion, not only dangerous, but also sets a dangerous precedent. It is the responsibility of System Administrators to update their own systems - not other peoples. The release of this tool is also a dubious idea, given that many areas that have begun (or already have) to introduce legislation making this illegal. All it would take is a few systems damaged by this tool, and serious legal and financial consequences would be the result. I believe that we should stick to the current model of full disclosure, vendor ( or trusted third party) patches, and Administrator diligence. -------------------------------------------------------------------------- DeAvillez, Carlos <Carlos_DeAvillez () stercomm com> This is a good idea, but... What worries me is the potential for abuse. How can a remote admin know this is NOT a bad worm? If this could be contained in one single domain (which is to say, under one single "company"), then I can even see this being used. Otherwise, we are prone to create an even bigger mess -- the case where the medicine can kill the patient. This is highly uncontrollable, and easily abused. I can even think of the name for the first crack: Antib0dy. -------------------------------------------------------------------------- Joel Epstein <joele () iws-irms com> While I feel that system spread patching is a wonderful concept, simply releasing this virus-like methodology is a mistake. Although I am all for truth in security, simply posting an easy routine such as this will allow low-grade malicious users to easily create the sort of outlook spread bug that has crippled so many of the world's computer systems as of late. -------------------------------------------------------------------------- Martin S. Hasemann <ozone () isoc net> Just the sheer number of mails generated will shut things down just like lovebug did. Nice of you to tell everyone who started this one though. I'm sure you'll get lot's of nice hatemail from 1000's of adoring fans if something like this does come out :) Sell your computer before it's too late. -------------------------------------------------------------------------- Markus Kern <markus-kern () gmx net> Yes, but the load on the server hosting you fixing-program will also increase exponentially. I think the only solution is to include the entire fix in the email. That will increase mail server load though. I'm not a system administrator but I think this method will cause more problems than it prevents. The load on the mail servers is simply to much if it spreads like the ILY worm. Maybe delaying the resending of the email would limit the impact. But I think system administrators will eventually filter emails containing the overflow and thereby stopping your 'fix'. -------------------------------------------------------------------------- The Hawklord <hawklord () xmission com> Do you know how much damage that this could cause? It would take down mail servers all over the world. It would spread hundreds of times faster than Melissa or ILOVEYOU. People would claim hundreds of millions of dollars worth of damage. And the focus would be on you. PLEASE DO NOT DISTRIBUTE THIS!!!! -------------------------------------------------------------------------- Nick FitzGerald <nick () virus-l demon co uk> The suggestion is unethical in the extreme and the mere fact that you even had to ask raises questions as to your suitability to be allowed access to programming tools, let alone a broad, distributed network like the Internet. Further, I am appalled that Elias even considered posting your message. Think about it this way -- I do not want code like that arriving here. How are going to stop that happening? If you cannot, you have no "right" to release it. (And don't be so naive as to suggest adding filtering of my address. First, I clear Email from multiple addresses in multiple domains. Second, as you have not asked everyone who may receive it, this "complaint" has to be considered a likely response from at least one other person to whom you have not addressed the "request".) One is left wondering what could possess a sane person to even waste time working on such a project... -------------------------------------------------------------------------- Juraj Bednar <bednar () rak isternet sk> I think it's a great idea, with one add-on. A dialog box to confirm this (i.e. it will ask if it could mail it further and ask, if it could install that damn thing). Even, I think a virus to fix vulnerability is a new nice concept and I fully agree with it. -------------------------------------------------------------------------- Jay Lessert <jayl () latticesemi com> Assuming you're really Chris Paget, and assuming you're serious (the headers looked a bit like an open forwarder)-- Unless you're frightfully clever about the "downloads and installs the patch from Microsoft" bit, all you're going to do is *really* piss off admins behind firewalls and proxy servers. -------------------------------------------------------------------------- David Foster <foster () dim ucsd edu> Personally, I wouldn't like it. In fact I think this is a terrible idea. If I want my systems "vaccinated", I will do it myself; I don't want ANY outside intrusion, no matter how well intentioned it may be. A virus is a virus, no matter what it does. You are just perpetuating the practice. -------------------------------------------------------------------------- David Hansen <dhansen () salug org> The current "path" from Microsoft is an application which the users of the Outlook email program may not have installed and, if so, more than likely do not have it installed intentionally. (Remember, your victims will not only be personal (civilian) users but corporate and military users as well.) What you describe is intrusion and vandalism of their systems and theft of their "choice" in the matter, regardless of your intentions. As well as robbing them of the bandwidth you'll be sucking up during this time. Also, how do you propose to deal with the abuse of spamming everyone in their address books with unsolicited, potentially harmful emails? And how do you propose to deal with some of your recipients using some email client _other_ than the Windows based Outlook and your intentionally malformed, intentionally secretively mass-spread email causes their email clients to crash or behave in some other unexpected and possibly destructive manner that you aren't aware of? You should consult a lawyer before you attempt to set out on an illegal matter rather than requesting the permission of the subscribers of this (or any) mailing list. Where do you get off thinking that you are justified in intentionally causing _any_ form of outage or overload? What makes you think that the "patch" you have just forced your victims to install has not just opened up another security hole or multiple security holes which may, in the future, be even more debilitating to some of your unwitting victims? How can you also pretend to guarantee that every victim system you infect will "function normally" when you are finished invading them and robbing them of their rights? Aside from the above mentioned security issues which you secretly introduce to them, is it so inconceivable that you may attack some disk space starved critical system and crash it as a result of trying to install bloatware on it? Or do the same to some disk-space starved workstation belonging to someone who is working late, or on a weekend, on a project/report of some fashion (maybe even working just minutes before it's due in a meeting) and you trash their system resulting in the loss of any unsaved material at the time. And worse yet, there either isn't an IT person around or there just isn't time for one to be of any saving use. Any pre-existing condition of a system or situation would be their fault, but any action of yours on their systems is completely your fault and no one should have to suffer at your hands. In short, it isn't your decision to make. You don't have the authority and you do not have the right. If you want to take a stab at being the world's saviour against useless software then put some thought and logic into it and make some publicly accessible interface that people can _choose_ to connect to that will verify the vulnerability of their systems and give the person the _choice_ to have the interface patch the system for the user. -------------------------------------------------------------------------- <nate.09 () whatever net> I'd *really* rather not see this sort of thing catch on. I've no doubt that your intentions are good, but... the 'original' (RTM) internet worm was supposed to be innocuous too, and a minor bug turned that little project into an internet outage. And even if *your* code is flawless, what if Microsoft's 'fix' doesn't work? Do you trust Microsoft enough to rely on their work in a project that could well land you in court alongside the guy who wrote Melissa? If you do your job flawlessly and their fix doesn't fix, it sounds like the antibodies will behave much like the Melissa virus, shutting down mail servers left and right. When you get sued, you can try to shift the blame to Microsoft, but I'd be surprised if that tactic worked. Or worse yet, what if Microsoft's fix opens up yet another security hole? What if it ended up reactivating the Windows Scripting Host, of all things? Your 'antibody' becomes a vector for worse diseases, and a bunch more lawyers get rich at your expense. The 'network immune system' is a cool idea, but I don't think it's ready for prime time yet. Heck, there are a number of people walking around whose own immune system poses a danger to them from time to time. My girlfriend is one of them. Nature has had a very long time to refine the idea, and it still doesn't get it right every time. Do you think you and Microsoft can team up and do better? :-) -------------------------------------------------------------------------- Howard Lowndes <lannet () lannet com au> Whilst you motives might be seen as being philanthropic, your methods are illegal. What you are proposing is still a worm virus and alters data on computers to which you do not have authorised access. Try it in Australia and you are facing a 10 year jail term under the Crimes Act. Not recommended. -------------------------------------------------------------------------- Mike Crawley <mcrawley () megsinet net> This sounds like a security risk to most networks. It may be better fot you to distribute a method by which administrators can manage the process from within their environments. i.e. Publish the MS and other relevant fix web sites as well as the preventative procedures and allow administrator to roll-out/administer it's implementation. Just a though as security ususlly dictates internal control of the LAN/WAN and not from outside. -------------------------------------------------------------------------- <romper () system78 com> I think this would be a good idea, if it could be applied to target a specific company (ie, you specify the domain of addresses that the program would target, thus prevent it from leaving your network and wreaking havoc on a less-prepared network). Another alternative is to simply disable the "spreading" feature of the program and to mail it (as an "update") to everyone on the company's global list. While well-intentioned, many sysadmins would be furious to have an unknown program propagating across their networks. -------------------------------------------------------------------------- Jason Brown <jtb () atei com> I would like someone to do this to our networks as much as I would like someone to walk in with an unknown floppy disk and starting running it on every machine we've got while we closed our eyes and hoped they would not break anything. The patch is available from Microsoft. Education is the long term key to successful security, not a virus that goes around the admins and tries to fix things for them. Also, with your exploit open-sourced, there is nothing to stop somebody from rewriting the code to install a good backdoor program instead of the patch. Just about the time a user feels good about being exploited because it was supposed to fix things, they've got BO2K. Cool. No thanks for me, I'll double check and make sure all machines are patched instead. -------------------------------------------------------------------------- der Mouse <mouse () Rodents Montreal QC CA> This is an elegant idea. But three things come to mind: (1) This would be a *major* pain the ass to people who don't use LookOut but are in the address books of people who do. I think about the number of copies of ILOVEYOU and its knockoffs that I got, and that one was blatant and rapidly squashed. A stealthier one could seriously mailbomb people using non-Redmond MUAs. (2) What about the second and later times it's received by people who *do* use Outlook? Are they going to get mailbombed similarly? (3) How is it any more ethical to release an email virus just because *your* intentions are good and it doesn't do any "real damage"? (Besides which, who are you to arrogate to yourself the decision to patch someone's system?) You touched on this when you mentioned some of the other side effects of an email virus, like mailserver load. -------------------------------------------------------------------------- Patrick R. Mullen <prmullen () dreamscape com> With regards to your "Antibody" idea, I must insist that you refrain from releasing this code into the wild. While your intentions are benign, the code would only serve to inspire a whole host of "malware" projects on the part of the VX community. Also, it wouldn't take much time for someone to "spoof" your "Antibody" program and create a nastier version [with some hidden backdoor trojan or virus launcher added to your original design]. I'm afraid that while your idea is theoretically sound, the real-world is just not ready for "Inoculation Virii" of the type you are proposing to release. At this point in time, I would strongly recommend that you sends amples of your "Antibody" code to the anti-virus industry [some of whom are in the "cc" address header above], just in case someone uses the same propagation mechanism [but with a "malware" payload]. If you have any questions, please feel free to contact me at any time ! -------------------------------------------------------------------------- Gale, Bill <bgale () chi navtech com> This is an interest concept, but in discussion with my colleagues, we have concluded that we should resist taking this avenue. Why? 1. Such a propagation mechanism for antibodies would create a situation where people would pay less attention to emails which are of this nature, the majority of which at this point are harmful. 2. It is possible for the antibody in itself to be infected by a hacker, which would be hard to detect by the average recipient. This would create the need for an antibody to the antibody. The net result is that nobody would trust antibodies after the first antibody infection. -------------------------------------------------------------------------- Ryan Russell <ryan () securityfocus com> Hoo boy... we're really gonna go down this road? OK, here's my list.. -First off... I'm not opposed to writing such a beast. I support people's right to write exploits/viruses/trojans/worms/etc... I have a problem with people *releasing* them. See below. -Does your code take advantage of the signed code stuff from MS? I have my users use the Windowsupdate site only because of the code signing. I give MS credit for being able to manage their signing key properly. If it doesn't, then I don't know what I ended up downloading, do I? -What does it download? IE 5.01 SP1? IE 5.5? Windowsupdate make a bunch of determinations about wht you have now before handing over any recommendations about what to download. For example, if your "fix" is to take people to IE 5.5, that doesn't help W2K. If you go to IE 5.01 SP1, then you just downgraded my Win98 box. What happens when the worm is still alive when IE 5.51 comes out with security fixes? If by some fluke the Outlook bug is still active or re-introduced in that version, are you going to keep people going back to 5.5? -What about other e-mail clients? Personal experience has shown that these types of problems tend to affect multiple clients. What if Eudora (for example, no specific knowledge) blows up in the same wya, but the offsets are different enough so that your BO doesn't work, and the person can't use their e-mail anymore? -Speaking off offsets, does your code work across every variant of Windows? How about NT on Alpha? Listen to the vulnerability scanner vendors for stories about how fun it is to try to get a clean exploit to exercise. Doesn't Outlook run on the Mac? I haven't heard anything about how this affects the Mac platform. -How do I tell your exploit apart from a modified one that is less friendly? I don't want to try and train people to distinguish good vs. evil exploit. How do I know if your "good" exploit is "good" anyway? How do I know you're not just out to log info on every Outlook user in the world? -What if I didn't want my box patched? What If I was working on my own exploit, and you came along and patched my box? -What about DNS spoofing for any of the downloads? -What about connection hijacking for any of the downloads? -Who has the server infrastructure to serve a copy of IE to every Outlook user in the world in like a 24-hour period? What if the modem user didn't really want to download 18MB right that second? -If there's some sort of limiting fucntion (so it can only be run within an enterprise, for example) how does that work? If Netscape and Microsoft can't get it right for "Intranet Zone" purposes, how can you? -What if the install bombs? I put IE 5.5 on my home machine today. It tried to reboot without asking me, and then after I let it reboot, it hung on ie4uinst upon bootup, which I had to kill manually (Why it did that, I don't know... I've had IE 5 something forever.) I hope no admin leaves their Outlook running on a production server that they really, really didn't want rebooted. -Did you get the $500 from SANS? This is just the list of stuff that I thought of immediately, I'm sure there's lots more. -------------------------------------------------------------------------- Thomas May <tommay1 () hotmail com> Great intentions with this, however I do think you are right to say that there is the potential for service outages due to heavy traffic load. Also, what if the site that downloads the patch is temporarily inaccessible? Not to mention that the media would have a field day and call it a "virus" since those "bad hackers" make a much better story than the good guys like you do. I would be extremely careful with the use of e mail, since so many destructive virus authors have used in a negative manner. -------------------------------------------------------------------------- Daniel Holdsworth <drh () supanet net uk> Well, the concept is a good one, barring the possible bug that an earlier poster mentioned (in short, no Windows Scripting Host = no download from Microsoft site), but I would please ask that you do not distribute it. At the moment, the world population of "skript kiddies" know about the exploit, but a large proportion won't know how to exploit it. Your Antibody system is effectively a worked example on how to turn the buffer overflow from a curiousity into an actual tool, and as such is not something anyone would like to see distributed. So, I'm sorry but although it is a very neat idea and is technically highly effective, it is not something I would want to see light of day right at the moment. -------------------------------------------------------------------------- Eric Chien <ecchien () yahoo com> This is an EXTREMELY BAD idea IMHO. You have absolutely no control of this once it is released. Remember that VBS.LoveLetter and W97M.Melissa both mailed addresses in one's Outlook address book and not even _all_ the adddresses. As for the idea that this is 'very temporary' please remember that once the mail server goes down, your patch isn't moving on to the client anymore. If it isn't moving on to the client, nothing is getting fixed or 'executed' anymore so, the logic of 'once all the systems on a network have been infected' doesn't hold since, if the mail server goes down machines can no longer be infected. How about all the people who don't use Outlook (Express) who are going to receive your mail? How about all the people who are using already patched Outlook (Express)? How do you expect an average user who doesn't update their system normally to react when suddenly when they read their mail an installation/patch routine begins? The equivalent disruption would be allowing me to shut down your mail server whenever I want and say you had pcAnywhere installed with an account for me and allowed me remotely access your computer and let me launch installation routines whenever I want and reboot your machine even while you may have been in the middle of working on something extremely important without me asking you first. Ask yourself if you are willing to allow that to happen on your own system first. There are a million other reasons why you shouldn't do this and I'm hoping the rest of the community will chime in and state them. On constructive notes, large corporations obvoiusly shouldn't need such a program as they 1) generally like to test all upgrades to their user's sytems first, 2) have software distribution systems in place, 3) can often use login scripts, etc. Smaller organizations without the ability to use the above means obviously have the need for some software distribution ability, but this isn't the way to go about it because obviously you will hit a huge population that is in no way affected and in no way under your system administration jurisdication. Although I work for the Symantec AntiVirus Research Center (echien () symantec com), the above opinions are my own. However, I am almost certain, this would be added to the definition set should we receive a sample. My educated guess is our customer's would want the addition of such an executable. Please reconsider what you are about to release. -------------------------------------------------------------------------- Mariusz Woloszyn <emsi () ipartners pl> If I'm an evil hacker I propably own a host that is a gateway, so I can use it to fool your 'curing virus' to download an evil code. -------------------------------------------------------------------------- Lincoln Yeoh <lyeoh () pop jaring my> That's one way to fix a problem but in my opinion such unauthorised alteration to computer systems is illegal in most places and even if it isn't illegal, it's very very impolite. Infecting people _without_ their permission is rude (and probably illegal in most places) even if it's for their own good. This applies to computer and human viruses and other similar stuff e.g. touching people's stuff without their permission [1]. Also, there could be side effects that we are unaware of as yet. Are you willing to take the responsibility for nasty side effects? In the human health field, normally extensive tests are done. And even so, the use of self replicating viruses is too dangerous in my eyes, such use would be very irresponsible. For there could be other people who would modify your innocuous virus and transform it to something less innocuous (biological viruses could mutate). Then things could get extremely messy and nasty. I personally do not think it's a good idea to release such a virus to the public, despite certain organisations encouraging such behaviour. People have got to be advised of the risks etc, abd willingly ask to be innoculated, then only you jab them and just them. Doing otherwise is going down a slippery and dangerous slope. But I'm sure other people have a different opinion. [1] If it's amongst friends/friendly neighbours such behaviour may be acceptable, but not amongst strangers. You can lock your friend/neighbour's door and tell him/her later. But doing so to a stranger could get you in trouble - you could be locking them out of their own houses/cars (maybe they misplaced their key :) ), and they could prosecute you. Whereas in a similar situation, your friends would scold you, but still forgive you since it's for their own good and you're all friends. Sure we are all neighbours, <2000 msecs away. But unfortunately we're not all friendly neighbours :(. -------------------------------------------------------------------------- "Jeffrey R Eaves" <jre () pobox com> Personally, I find even the thought of releasing any such software in the wild to be a down-right 'no-no'. Do you want to be liable for downtime, damages or other costs from innocent victims? Can you be sure you won't break some-ones not so standard setup? By all means make such a tool available, but with the viral propagation aspect removed. In other words, without this, you don't have a product at all. Leave people to address these security issues themseleves. The announcements from M$, securityfocus and other places serves as sufficient notice for people to correct these holes by applyng patches or upgrading as the case may be. Do you know how long a packet storm created by such a technique would last? Given the number of M$ boxes I would suggest several days or longer. Do I want the internet to respond poorly for this amount of time? No thanks. I had removed this vulnerability already. -------------------------------------------------------------------------- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability, (continued)
- Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability Ussr Labs (Jul 19)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Joe Laffey (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Kurt Seifried (Jul 18)
- @stake Security Advisory: NetZero Password Algorithm Brian Carrier (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Dan Kaminsky (Jul 18)
- Re: @stake Security Advisory: NetZero Password Algorithm Damien Miller (Jul 20)
- Multiple bugs in Alibaba 2.0 Prizm (Jul 18)
- Buffer Overflow in MS Outlook Email Clients Aaron Drew (Jul 19)
- Re: Buffer Overflow in MS Outlook Email Clients bednar () RAK ISTERNET SK (Jul 18)
- Re: Buffer Overflow in MS Outlook Email Clients chris.paget () ANALYSYS COM (Jul 19)
- Re: Buffer Overflow in MS Outlook Email Clients Elias Levy (Jul 21)