Re: Buffer Overflow in MS Outlook Email Clients

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

There were so many responces to this thread I am summarizing them all into
a single message. Please keep in mind that just because I allow something
on the list does not mean I approve of it. Personally I think this is a
bad idea for all the reasons I have in my reply to SANS message and more.
Nonetheless its technically interesting and I wanted to know your
opinion.

--------------------------------------------------------------------------
Chris Paget <chris.paget () analysys com>

After several beers and a lot of emails (around a hundred so far, and
still counting), I have decided not to release this.  Quite honesltly,
I just don't have the balls for all the lawsuits.

In its curent form, Antibody will never be released.  To anyone.
Don't bother asking.

However, it is only a matter of time before *someone* releases
something like this - it's the only way that the good guys can even
compete on a level field with the virus writers and hackers.

I may later release a more "user-friendly" and polite version of
Antibody - one that asks before it does anything.  However, I'm not
even sure if that is a good idea, so it will probably just get
deleted.

Thanks for all the replies,
--------------------------------------------------------------------------
Robert Harvey <RobertH () PredictPoint com>

I have to say that find these approaches highly disturbing. This
"Antibody" IS a virus, whether it's intent is harmful or benign.
Releasing this in your described manner is, in my opinion, not only
dangerous, but also sets a dangerous precedent. It is the
responsibility of System Administrators to update their own systems -
not other peoples.  The release of this tool is also a dubious idea,
given that many areas that have begun (or already have) to introduce
legislation making this illegal. All it would take is a few systems
damaged by this tool, and serious legal and financial consequences
would be the result.  I believe that we should stick to the current
model of full disclosure, vendor ( or trusted third party) patches,
and Administrator diligence.
--------------------------------------------------------------------------
DeAvillez, Carlos <Carlos_DeAvillez () stercomm com>

This is a good idea, but...

What worries me is the potential for abuse. How can a remote admin know this
is NOT a bad worm?

If this could be contained in one single domain (which is to say, under one
single "company"), then I can even see this being used. Otherwise, we are
prone to create an even bigger mess -- the case where the medicine can kill
the patient. This is highly uncontrollable, and easily abused. I can even
think of the name for the first crack: Antib0dy.
--------------------------------------------------------------------------
Joel Epstein <joele () iws-irms com>

While I feel that system spread patching is a wonderful concept, simply
releasing this virus-like methodology is a mistake. Although I am all for
truth in security, simply posting an easy routine such as this will allow
low-grade malicious users to easily create the sort of outlook spread bug
that has crippled so many of the world's computer systems as of late.
--------------------------------------------------------------------------
Martin S. Hasemann <ozone () isoc net>

Just the sheer number of mails generated will shut things down just like
lovebug did. Nice of you to tell everyone who started this one though. I'm
sure you'll get lot's of nice hatemail from 1000's of adoring fans if
something like this does come out :) Sell your computer before it's too
late.
--------------------------------------------------------------------------
Markus Kern <markus-kern () gmx net>

Yes, but the load on the server hosting you fixing-program will also
increase exponentially. I think the only solution is to include the
entire fix in the email. That will increase mail server load though.

I'm not a system administrator but I think this method will cause more
problems than it prevents. The load on the mail servers is simply to
much if it spreads like the ILY worm. Maybe delaying the resending of
the email would limit the impact.
But I think system administrators will eventually filter emails
containing the overflow and thereby stopping your 'fix'.
--------------------------------------------------------------------------
The Hawklord <hawklord () xmission com>

Do you know how much damage that this could cause?

It would take down mail servers all over the world. It would
spread hundreds of times faster than Melissa or ILOVEYOU. People
would claim hundreds of millions of dollars  worth of damage. And
the focus would be on you.

PLEASE DO NOT DISTRIBUTE THIS!!!!
--------------------------------------------------------------------------
Nick FitzGerald <nick () virus-l demon co uk>

The suggestion is unethical in the extreme and the mere fact that you
even had to ask raises questions as to your suitability to be allowed
access to programming tools, let alone a broad, distributed network
like the Internet.

Further, I am appalled that Elias even considered posting your
message.

Think about it this way -- I do not want code like that arriving
here.  How are going to stop that happening?  If you cannot, you have
no "right" to release it.  (And don't be so naive as to suggest
adding filtering of my address.  First, I clear Email from multiple
addresses in multiple domains.  Second, as you have not asked
everyone who may receive it, this "complaint" has to be considered a
likely response from at least one other person to whom you have not
addressed the "request".)

One is left wondering what could possess a sane person to even waste
time working on such a project...
--------------------------------------------------------------------------
Juraj Bednar <bednar () rak isternet sk>

I think it's a great idea, with one add-on. A dialog box to confirm this
(i.e. it will ask if it could mail it further and ask, if it could install
that damn thing).

Even, I think a virus to fix vulnerability is a new nice concept and I fully
agree with it.
--------------------------------------------------------------------------
Jay Lessert <jayl () latticesemi com>

Assuming you're really Chris Paget, and assuming you're serious (the
headers looked a bit like an open forwarder)--

Unless you're frightfully clever about the "downloads and installs the
patch from Microsoft" bit, all you're going to do is *really* piss
off admins behind firewalls and proxy servers.
--------------------------------------------------------------------------
David Foster <foster () dim ucsd edu>

Personally, I wouldn't like it. In fact I think this is a terrible idea.
If I want my systems "vaccinated", I will do it myself; I don't want
ANY outside intrusion, no matter how well intentioned it may be.

A virus is a virus, no matter what it does. You are just perpetuating
the practice.
--------------------------------------------------------------------------
David Hansen <dhansen () salug org>

 The current "path" from Microsoft is an application which the users of
the Outlook email program may not have installed and, if so, more than
likely do not have it installed intentionally. (Remember, your victims
will not only be personal (civilian) users but corporate and
military users as well.)

 What you describe is intrusion and vandalism of their systems and theft
of their "choice" in the matter, regardless of your intentions. As well as
robbing them of the bandwidth you'll be sucking up during this time.

 Also, how do you propose to deal with the abuse of spamming everyone in
their address books with unsolicited, potentially harmful emails? And how
do you propose to deal with some of your recipients using some email
client _other_ than the Windows based Outlook and your intentionally
malformed, intentionally secretively mass-spread email causes their
email clients to crash or behave in some other unexpected and possibly
destructive manner that you aren't aware of?

 You should consult a lawyer before you attempt to set out on an illegal
matter rather than requesting the permission of the subscribers of this
(or any) mailing list.

 Where do you get off thinking that you are justified in intentionally
causing _any_ form of outage or overload? What makes you think that the
"patch" you have just forced your victims to install has not just opened
up another security hole or multiple security holes which may, in the
future, be even more debilitating to some of your unwitting victims?

How can you also pretend to guarantee that every victim system you infect
will "function normally" when you are finished invading them and robbing
them of their rights? Aside from the above mentioned security issues which
you secretly introduce to them, is it so inconceivable that you may attack
some disk space starved critical system and crash it as a result of trying
to install bloatware on it? Or do the same to some disk-space starved
workstation belonging to someone who is working late, or on a weekend, on
a project/report of some fashion (maybe even working just minutes before
it's due in a meeting) and you trash their system resulting in the loss of
any unsaved material at the time. And worse yet, there either isn't an IT
person around or there just isn't time for one to be of any saving use.
Any pre-existing condition of a system or situation would be their fault,
but any action of yours on their systems is completely your fault and no
one should have to suffer at your hands.

 In short, it isn't your decision to make. You don't have the authority
and you do not have the right. If you want to take a stab at being the
world's saviour against useless software then put some thought and logic
into it and make some publicly accessible interface that people can
_choose_ to connect to that will verify the vulnerability of their systems
and give the person the _choice_ to have the interface patch the system
for the user.
--------------------------------------------------------------------------
<nate.09 () whatever net>

I'd *really* rather not see this sort of thing catch on.  I've no doubt
that your intentions are good, but... the 'original' (RTM) internet worm
was supposed to be innocuous too, and a minor bug turned that little
project into an internet outage.

And even if *your* code is flawless, what if Microsoft's 'fix' doesn't
work?  Do you trust Microsoft enough to rely on their work in a
project that could well land you in court alongside the guy who wrote
Melissa?

If you do your job flawlessly and their fix doesn't fix, it sounds like
the antibodies will behave much like the Melissa virus, shutting down mail
servers left and right.  When you get sued, you can try to shift the blame
to Microsoft, but I'd be surprised if that tactic worked.

Or worse yet, what if Microsoft's fix opens up yet another security hole?
What if it ended up reactivating the Windows Scripting Host, of all
things?  Your 'antibody' becomes a vector for worse diseases, and a bunch
more lawyers get rich at your expense.

The 'network immune system' is a cool idea, but I don't think it's ready
for prime time yet.  Heck, there are a number of people walking around
whose own immune system poses a danger to them from time to time.  My
girlfriend is one of them.  Nature has had a very long time to refine the
idea, and it still doesn't get it right every time.  Do you think you and
Microsoft can team up and do better? :-)
--------------------------------------------------------------------------
Howard Lowndes <lannet () lannet com au>

Whilst you motives might be seen as being philanthropic, your methods are
illegal.

What you are proposing is still a worm virus and alters data on computers
to which you do not have authorised access.

Try it in Australia and you are facing a 10 year jail term under the
Crimes Act.

Not recommended.
--------------------------------------------------------------------------
Mike Crawley <mcrawley () megsinet net>

This sounds like a security risk to most networks.  It may be better
fot you to distribute a method by which administrators can manage the
process from within their environments.

i.e. Publish the MS and other relevant fix web sites as well as the
preventative procedures and allow administrator to roll-out/administer
it's implementation.

Just a though as security ususlly dictates internal control of the
LAN/WAN and not from outside.
--------------------------------------------------------------------------
<romper () system78 com>

I think this would be a good idea, if it could be applied to target
a specific company (ie, you specify the domain of addresses that the
program would target, thus prevent it from leaving your network and
wreaking havoc on a less-prepared network).

Another alternative is to simply disable the "spreading" feature of
the program and to mail it (as an "update") to everyone on the company's
global list.  While well-intentioned, many sysadmins would be furious
to have an unknown program propagating across their networks.
--------------------------------------------------------------------------
Jason Brown <jtb () atei com>

I would like someone to do this to our networks as much as I would like
someone to walk in with an unknown floppy disk and starting running it on
every machine we've got while we closed our eyes and hoped they would not
break anything.

The patch is available from Microsoft.  Education is the long term key to
successful security, not a virus that goes around the admins and tries to
fix things for them.

Also, with your exploit open-sourced, there is nothing to stop somebody from
rewriting the code to install a good backdoor program instead of the patch.
Just about the time a user feels good about being exploited because it was
supposed to fix things, they've got BO2K.  Cool.  No thanks for me, I'll
double check and make sure all machines are patched instead.
--------------------------------------------------------------------------
der Mouse <mouse () Rodents Montreal QC CA>

This is an elegant idea.  But three things come to mind:

(1) This would be a *major* pain the ass to people who don't use
LookOut but are in the address books of people who do.  I think about
the number of copies of ILOVEYOU and its knockoffs that I got, and that
one was blatant and rapidly squashed.  A stealthier one could seriously
mailbomb people using non-Redmond MUAs.

(2) What about the second and later times it's received by people who
*do* use Outlook?  Are they going to get mailbombed similarly?

(3) How is it any more ethical to release an email virus just because
*your* intentions are good and it doesn't do any "real damage"?
(Besides which, who are you to arrogate to yourself the decision to
patch someone's system?)  You touched on this when you mentioned some
of the other side effects of an email virus, like mailserver load.
--------------------------------------------------------------------------
Patrick R. Mullen <prmullen () dreamscape com>

With regards to your "Antibody" idea, I must insist that you refrain from
releasing this code into the wild.  While your intentions are benign, the
code would only serve to inspire a whole host of "malware" projects on the
part of the VX community.  Also, it wouldn't take much time for someone to
"spoof" your "Antibody" program and create a nastier version [with some
hidden backdoor trojan or virus launcher added to your original design].

I'm afraid that while your idea is theoretically sound, the real-world is
just not ready for "Inoculation Virii" of the type you are proposing to
release.  At this point in time, I would strongly recommend that you sends
amples of your "Antibody" code to the anti-virus industry [some of whom are
in the "cc" address header above], just in case someone uses the same
propagation mechanism [but with a "malware" payload].

If you have any questions, please feel free to contact me at any time !
--------------------------------------------------------------------------
Gale, Bill <bgale () chi navtech com>

This is an interest concept, but in discussion with my colleagues,
we have concluded that we should resist taking this avenue.  Why?

1.  Such a propagation mechanism for antibodies would create a
    situation where people would pay less attention to emails
    which are of this nature, the majority of which at this point
    are harmful.

2.  It is possible for the antibody in itself to be infected
    by a hacker, which would be hard to detect by the average
    recipient.  This would create the need for an antibody
    to the antibody.

The net result is that nobody would trust antibodies after the
first antibody infection.
--------------------------------------------------------------------------
Ryan Russell <ryan () securityfocus com>

Hoo boy... we're really gonna go down this road?  OK, here's my list..

-First off... I'm not opposed to writing such a beast.  I support people's
right to write exploits/viruses/trojans/worms/etc... I have a problem with
people *releasing* them.  See below.

-Does your code take advantage of the signed code stuff from MS?  I have
my users use the Windowsupdate site only because of the code signing.  I
give MS credit for being able to manage their signing key properly.  If it
doesn't, then I don't know what I ended up downloading, do I?

-What does it download?  IE 5.01 SP1?  IE 5.5?  Windowsupdate make a bunch
of determinations about wht you have now before handing over any
recommendations about what to download.  For example, if your "fix" is to
take people to IE 5.5, that doesn't help W2K.  If you go to IE 5.01 SP1,
then you just downgraded my Win98 box.  What happens when the worm is
still alive when IE 5.51 comes out with security fixes?  If by some fluke
the Outlook bug is still active or re-introduced in that version, are you
going to keep people going back to 5.5?

-What about other e-mail clients?  Personal experience has shown that
these types of problems tend to affect multiple clients.  What if Eudora
(for example, no specific knowledge) blows up in the same wya, but the
offsets are different enough so that your BO doesn't work, and the person
can't use their e-mail anymore?

-Speaking off offsets, does your code work across every variant of
Windows?  How about NT on Alpha?  Listen to the vulnerability scanner
vendors for stories about how fun it is to try to get a clean exploit to
exercise.  Doesn't Outlook run on the Mac?  I haven't heard anything about
how this affects the Mac platform.

-How do I tell your exploit apart from a modified one that is less
friendly?  I don't want to try and train people to distinguish good
vs. evil exploit.  How do I know if your "good" exploit is
"good" anyway?  How do I know you're not just out to log info on every
Outlook user in the world?

-What if I didn't want my box patched?  What If I was working on my own
exploit, and you came along and patched my box?

-What about DNS spoofing for any of the downloads?

-What about connection hijacking for any of the downloads?

-Who has the server infrastructure to serve a copy of IE to every Outlook
user in the world in like a 24-hour period?  What if the modem user didn't
really want to download 18MB right that second?

-If there's some sort of limiting fucntion (so it can only be run within
an enterprise, for example) how does that work?  If Netscape and Microsoft
can't get it right for "Intranet Zone" purposes, how can you?

-What if the install bombs?  I put IE 5.5 on my home machine today.  It
tried to reboot without asking me, and then after I let it reboot, it hung
on ie4uinst upon bootup, which I had to kill manually (Why it did that, I
don't know... I've had IE 5 something forever.)  I hope no admin leaves
their Outlook running on a production server that they really, really
didn't want rebooted.

-Did you get the $500 from SANS?

This is just the list of stuff that I thought of immediately, I'm sure
there's lots more.
--------------------------------------------------------------------------
Thomas May <tommay1 () hotmail com>

Great intentions with this, however I do think you are right to say that
there is the potential for service outages due to heavy traffic load.  Also,
what if the site that downloads the patch is temporarily inaccessible?  Not
to mention that the media would have a field day and call it a "virus" since
those "bad hackers" make a much better story than the good guys like you do.
I would be extremely careful with the use of e mail, since so many
destructive virus authors have used in a negative manner.
--------------------------------------------------------------------------
Daniel Holdsworth <drh () supanet net uk>

Well, the concept is a good one, barring the possible bug that an earlier
poster mentioned (in short, no Windows Scripting Host = no download
from Microsoft site), but I would please ask that you do not distribute it.
At the moment, the world population of "skript kiddies" know about the
exploit, but a large proportion won't know how to exploit it. Your Antibody
system is effectively a worked example on how to turn the buffer overflow
from a curiousity into an actual tool, and as such is not something anyone
would like to see distributed. So, I'm sorry but although it is a very neat
idea and is technically highly effective, it is not something I would want
to see light of day right at the moment.
--------------------------------------------------------------------------
Eric Chien <ecchien () yahoo com>

This is an EXTREMELY BAD idea IMHO.  You have absolutely no control of this
once it is released.  Remember that VBS.LoveLetter and W97M.Melissa both
mailed addresses in one's Outlook address book and not even _all_ the
adddresses.

As for the idea that this is 'very temporary' please remember that once the
mail server goes down, your patch isn't moving on to the client anymore.
If it isn't moving on to the client, nothing is getting fixed or 'executed'
anymore so, the logic of 'once all the systems on a network have been
infected' doesn't hold since, if the mail server goes down machines can no
longer be infected.

How about all the people who don't use Outlook (Express) who are going to
receive your mail?  How about all the people who are using already patched
Outlook (Express)?  How do you expect an average user who doesn't update
their system normally to react when suddenly when they read their mail an
installation/patch routine begins?

The equivalent disruption would be allowing me to shut down your mail
server whenever I want and say you had pcAnywhere installed with an account
for me and allowed me remotely access your computer and let me launch
installation routines whenever I want and reboot your machine even while
you may have been in the middle of working on something extremely important
without me asking you first.  Ask yourself if you are willing to allow that
to happen on your own system first.

There are a million other reasons why you shouldn't do this and I'm hoping
the rest of the community will chime in and state them.

On constructive notes, large corporations obvoiusly shouldn't need such a
program as they 1) generally like to test all upgrades to their user's
sytems first, 2) have software distribution systems in place, 3) can often
use login scripts, etc.

Smaller organizations without the ability to use the above means obviously
have the need for some software distribution ability, but this isn't the
way to go about it because obviously you will hit a huge population that is
in no way affected and in no way under your system administration
jurisdication.

Although I work for the Symantec AntiVirus Research Center
(echien () symantec com), the above opinions are my own.  However, I am almost
certain, this would be added to the definition set should we receive a
sample.  My educated guess is our customer's would want the addition of
such an executable.

Please reconsider what you are about to release.
--------------------------------------------------------------------------
Mariusz Woloszyn <emsi () ipartners pl>

If I'm an evil hacker I propably own a host that is a gateway, so I can
use it to fool your 'curing virus' to download an evil code.
--------------------------------------------------------------------------
Lincoln Yeoh <lyeoh () pop jaring my>

That's one way to fix a problem but in my opinion such unauthorised
alteration to computer systems is illegal in most places and even if it
isn't illegal, it's very very impolite.

Infecting people _without_ their permission is rude (and probably illegal
in most places) even if it's for their own good. This applies to computer
and human viruses and other similar stuff e.g. touching people's stuff
without their permission [1].

Also, there could be side effects that we are unaware of as yet. Are you
willing to take the responsibility for nasty side effects? In the human
health field, normally extensive tests are done. And even so, the use of
self replicating viruses is too dangerous in my eyes, such use would be
very irresponsible.

For there could be other people who would modify your innocuous virus and
transform it to something less innocuous (biological viruses could mutate).
Then things could get extremely messy and nasty.

I personally do not think it's a good idea to release such a virus to the
public, despite certain organisations encouraging such behaviour.

People have got to be advised of the risks etc, abd willingly ask to be
innoculated, then only you jab them and just them. Doing otherwise is going
down a slippery and dangerous slope.

But I'm sure other people have a different opinion.

[1] If it's amongst friends/friendly neighbours such behaviour may be
acceptable, but not amongst strangers.

You can lock your friend/neighbour's door and tell him/her later. But doing
so to a stranger could get you in trouble - you could be locking them out
of their own houses/cars (maybe they misplaced their key :) ), and they
could prosecute you. Whereas in a similar situation, your friends would
scold you, but still forgive you since it's for their own good and you're
all friends.

Sure we are all neighbours, <2000 msecs away. But unfortunately we're not
all friendly neighbours :(.
--------------------------------------------------------------------------
"Jeffrey R Eaves" <jre () pobox com>

Personally, I find even the thought of releasing any such software
in the wild to be a down-right 'no-no'.

Do you want to be liable for downtime, damages or other costs
from innocent victims?  Can you be sure you won't break some-ones not
so standard setup?

By all means make such a tool available, but with the viral propagation
aspect removed.  In other words, without this, you don't have a
product at all.

Leave people to address these security issues themseleves.  The
announcements from M$, securityfocus and other places serves as
sufficient notice for people to correct these holes by applyng patches
or upgrading as the case may be.

Do you know how long a packet storm created by such a technique would
last?  Given the number of M$ boxes I would suggest several days or
longer.  Do I want the internet to respond poorly for this amount of
time?  No thanks.  I had removed this vulnerability already.
--------------------------------------------------------------------------

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum