FW: Alert: Arbitrary code execution via email or news

[patrick () pine nl (Patrick Oonk)]

-----Original Message-----
From: Windows NT BugTraq Mailing List
[mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM] On Behalf Of Russ
Sent: Monday, July 27, 1998 5:55 PM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Alert: Arbitrary code execution via email or news


A buffer overrun has been detected in Outlook Express (v4.72.2106.4 &
v4.72.3110.1), and Netscape Mail (v4.05 & 4.5b1). So far only the
Macintosh versions have proven unaffected. Ari Takanen and Marko Laakso
of the Finnish Oulu University Secure Programming Group
<http://www.ee.oulu.fi/groups/ouspg> discovered it back in late June.
They have been working closely with AUSCERT and the vendors. CIAC, and
COAST/CERIAS (via Gene Spafford) have also been involved.

NTBugtraq was brought in quietly to help facilitate communications back
on July 3rd, and using its contacts and discretion, has helped to
facilitate speedy fixes and involvement of the appropriate groups.

The exploit method is slightly different in the two different products
(MS versus NS), but it centers around the malicious use of tags used to
identify an attachment. The attachment itself is not relevant, its
contents need not contain any exploit. The tags that identify the
attachment contain the exploit code. Therefore, the exploit code can be
invoked without actually opening the attachment itself (and in at least
one test scenario, without even opening the message!).

The exploit has been demonstrated in email and news, and has been
confirmed by both Microsoft and Netscape. COAST has suggested that
Eudora is thus far unaffected by the same problem.

There are too many possible avenues of exploit to document here, and
many have not yet been tested. Attachment type does not appear to
matter, so it could as easily be done with a .txt file as a .gif, or
.doc, or .zip.

Thus far there is no demonstration exploit available in the wild, thank
god, but its likely that such a program will appear. As long as affected
versions of the exploitable software continue to exist (and there is
enough of them around to say they'll likely exist for a long time, like
the version shipped with Windows '98), the chances of a new Internet
Worm loom over our heads.

Meanwhile, look for an MS Security Bulletin shortly (its due to be
released at 9:00am PST) indicating the location of a fix. Netscape have
said that the fix for Netscape Mail will be included in their v4.06
release, due out around August 7th. They indicated they may put
something up on their website about this today.

The exploit does work on Windows NT, as well as Windows '95/'98, and
with Outlook Express on Solaris 2.x. Microsoft indicated they found an
issue with Outlook '98 also, look for details of this in their bulletin.

I have written a very long editorial of the issue and will post it to
the NTBugtraq website later today. For now, hold off on asking questions
until after the MS Bulletin is released.

Cheers,
Russ