Re: Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients

[ripper () HOTKEY NET AU (Aaron Drew)]

I would like to make a public apology to both Microsoft and USSR Labs.

Yesterday's post was done so by accident whilst I was preparing a draft
advisory intended to be released on completion of a patch and related
security bulletin by Microsoft.

For those of you wondering how on earth I could accidentally send an e-mail,
I offer the following explanation. To exploit the vulnerability I had to
create my own Date field in an e-mail header. To do this, I have been piping
a text file directly to an SMTP server using standard SMTP commands. (In the
end I came to the realisation that the message would execute the exploit on
Outlook regardless of the number of nested MIME attachments I used so I
simply placed it in the body of an attachment.) Once I was confident that
the result was satisfactory, I set up the file to post to bugtraq on
anticipation of Microsoft's release. I performed a spell check that found
several mistakes and corrected these. To test that the spell checker didn't
clobber my 8 bit exploit string I sent the e-mail once more - without
changing the destination address back to my own.

The exploit I released along with the advisory was also not intended for
final release and will not function as stated due to the hostname referred
to being unavailable to anywhere but my local LAN. I suggest the exploit be
removed from the site until further notice. I will release a functional
exploit upon release of Microsoft's security bulletin.

Both USSR Labs and I independently discovered and submitted the same bug on
the same day to Microsoft and deserve equal credit.

Regards,
Aaron Drew

-----Original Message-----
From: Ussr Labs <labs () USSRBACK COM>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Wednesday, 19 July 2000 9:22
Subject: Aaron Drew - Security Advisory: Buffer Overflow in MS Outlook &
Outlook Express Email Clients

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> this person trick us, and trick Microsoft (we found it first and WE
> ARE WAITING FOR MICROSOFT RELEASE IT ! BUT THIS PERSON RELEASE IT
> FIRST (THE FULL CREDITS OF THIS ARE US) NO OTHERS CHECK IN THE FUTURE
> THE MICROSOFT RELEASE.
>
> IM SORRY im very pissed off :(
>
>
> _______________________________________________________________
>
> Security Advisory: Buffer Overflow in MS Outlook & Outlook Express
> Email Clients
>
> Date: 18th July 2000
> Author: Aaron Drew (mailto:ripper () wollongong hotkey net au)
> Versions Affected: MS Outlook 97/2000 and MS Outlook Express 4/5
>
> _______________________________________________________________
>
> A bug in a shared component of Microsoft Outlook and Outlook Express
> mail
> clients can allow a remote user to write arbitrary data to the stack.
> This
> bug has been found to exist in all versions of MS Outlook and Outlook
> Express on both Windows 95/98 and Windows NT 4.
>
> The vulnerability lies in the parsing of the GMT section of the date
> field
> in the header of an email. Bound checking on the token representing
> the GMT
> is not properly handled. This bug can be witnessed by opening an
> email with
> an exceptionally long string directly preceding the GMT specification
> in
> the Date header field such as:
>
> Date: Fri, 13 July 2000 14:16:06
> +1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> xxxxxxxxxxxxxxxxxx
>
> The bug lies in the shared library INETCOMM.DLL and has been
> successfully
> exploited on Windows 95, 98 and NT with both Outlook and Outlook
> Express.
>
> The execution of this code is performed differently under each
> client. Under
> Outlook Express, the buffer overflow occurs as soon as the user tries
> to
> view the mail folder containing email with a malicious date header.
> Under
> Microsoft Outlook, the overflow occurs when attempting to preview,
> read,
> reply or forward any email with a malicious date header. Under MS
> Outlook a
> user may delete or save an email to disk without exploitation.
>
> Whilst some mail transport systems seem to modify 8-bit header data
> or lines
> over 70 characters in length preventing direct exploitation, these
> restrictions seem to be avoided by encoding a message with an exploit
> date
> field as a MIME attachment in a Outlook's MIME attached message
> format.
> These messages also overflow the stack when read, previewed, replied
> to or
> forwarded.
>
> Microsoft was notified of this bug on July 3.
>
> Attached is a proof-of-point exploit that, when placed in the header
> field of a message or MIME attached message, will download and
> execute
> an executable from the web. (In this particular case it will launch
> MS Freecell)
>
> _______________________________________________________________
>
> DISCLAIMER
>
> The information within this document may change without notice. Use
> of
> this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties with regard to this information.
> In no event shall the author be liable for any consequences
> whatsoever
> arising out of or in connection with the use or spread of this
> information. Any use of this information lays within the user's
> responsibility.
>
> _______________________________________________________________
>
> Date: Sun, 7 May 2000 11:20:46
> +10006ÝÃ^
@
> Ç^à €‹Ä-qþÿÿ‹ì3É
>
> u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
> h
> http://www.ussrback.com
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOXSx463JcbWNj6DDEQJ5mACg8e8YUFx0jYczol3BKERm98bup70AoNPa
> e04+qg4D8MMGmG8h3aZDljAK
> =gTBf
> -----END PGP SIGNATURE-----