Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients

[labs () USSRBACK COM (Ussr Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

this person trick us, and trick Microsoft (we found it first and WE
ARE WAITING FOR MICROSOFT RELEASE IT ! BUT THIS PERSON RELEASE IT
FIRST (THE FULL CREDITS OF THIS ARE US) NO OTHERS CHECK IN THE FUTURE
THE MICROSOFT RELEASE.

IM SORRY im very pissed off :(

_______________________________________________________________

Security Advisory: Buffer Overflow in MS Outlook & Outlook Express
Email Clients

Date:                   18th July 2000
Author:                 Aaron Drew (mailto:ripper () wollongong hotkey net au)
Versions Affected:      MS Outlook 97/2000 and MS Outlook Express 4/5

_______________________________________________________________

A bug in a shared component of Microsoft Outlook and Outlook Express
mail
clients can allow a remote user to write arbitrary data to the stack.
This
bug has been found to exist in all versions of MS Outlook and Outlook
Express on both Windows 95/98 and Windows NT 4.

The vulnerability lies in the parsing of the GMT section of the date
field
in the header of an email. Bound checking on the token representing
the GMT
is not properly handled. This bug can be witnessed by opening an
email with
an exceptionally long string directly preceding the GMT specification
in
the Date header field such as:

Date: Fri, 13 July 2000 14:16:06
+1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx

The bug lies in the shared library INETCOMM.DLL and has been
successfully
exploited on Windows 95, 98 and NT with both Outlook and Outlook
Express.

The execution of this code is performed differently under each
client. Under
Outlook Express, the buffer overflow occurs as soon as the user tries
to
view the mail folder containing email with a malicious date header.
Under
Microsoft Outlook, the overflow occurs when attempting to preview,
read,
reply or forward any email with a malicious date header. Under MS
Outlook a
user may delete or save an email to disk without exploitation.

Whilst some mail transport systems seem to modify 8-bit header data
or lines
over 70 characters in length preventing direct exploitation, these
restrictions seem to be avoided by encoding a message with an exploit
date
field as a MIME attachment in a Outlook's MIME attached message
format.
These messages also overflow the stack when read, previewed, replied
to or
forwarded.

Microsoft was notified of this bug on July 3.

Attached is a proof-of-point exploit that, when placed in the header
field of a message or MIME attached message, will download and
execute
an executable from the web. (In this particular case it will launch
MS Freecell)

_______________________________________________________________

DISCLAIMER

The information within this document may change without notice. Use
of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences
whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.

_______________________________________________________________

Date: Sun, 7 May 2000 11:20:46
+10006ÝÃ^
@
Ç^Ã€‹Ä-qþÿÿ‹ì3É

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOXSx463JcbWNj6DDEQJ5mACg8e8YUFx0jYczol3BKERm98bup70AoNPa
e04+qg4D8MMGmG8h3aZDljAK
=gTBf
-----END PGP SIGNATURE-----