Vulnerability Development mailing list archives

Re: Unchecked buffer in Outlook Newsreader, Re: Local Bufferoverflow in OutlookExpress

From: Kevin van der Raad <k.van.der.raad () itsec nl>
Date: Wed, 21 Mar 2001 14:24:12 +0100

Lot-a-zzz, Gerrie,

This is an old vulnerability, see:

        http://www.malware.com/dropper.html
        http://www.securityfocus.com/bid/2260


Original message (credit) by <http-equiv () excite com>
http://www.malware.com:

--

HTML.dropper


Wednesday, January 17, 2001

Internet Explorer 5.5 and accompanying mail and news client afford us
the unique ability to dictate which icons and file extensions we
require.

Specifically, we are able to manufacture an email message to appear as
one thing when in fact it is not:

1. What?

By carefully calculating a certain length of characters in the subject
field of an email message, Outlook Express 5.5 for whatever reason
creates an attachment incorporating the text in the body of the message.

2. And

We have in fact not attached anything, yet there is a fully functional
attachment. Furthermore we can dictate which file association and
applicable icon we require in order to execute our file. We can create
it to appear as an image file, sound file, html file etc. etc.

3. What does this mean:

MIME-Version: 1.0
To: http-equiv () excite com
Subject:
.hta
Content-Type: image/gif; charset=us-ascii
Content-Transfer-Encoding: 7bit

This will create an email message with no reference to attachments in
the headers.This can be particularly troublesome to content filtering
gateways and/or security applications that strip attachments through
header information that is, content-disposition: attachment;
content-type: application/malware; filename: iloveyou.vbs

What the above does is create an attachment, which in this case is an
*.hta file, but by manipulating the content-type, it is given an image
file icon. We then include in the body of our email message the very
simple code to execute whatever we wish, which is automatically
incorporated into the manufactured attachment.

4. Working example below.

DISCLAIMER

Note: Right-click and save to disk.To be opened in the mail client.
Harmless WSH code to execute telnet.exe on the local machine.

[This working example is crafted for Outlook Express 5.5, trivial
modifications suggest that it will work on the entire series of Outlook
Express mail clients as well as the entire range of Outlook mail
clients.]

No Attach:

http://www.malware.com/dropper.eml

Attach:

http://www.malware.com/madness.eml


5. The possibilities are endless. Any text based executable will
suffice. It is also trivial to introduce outside code into the temporary
internet folder, where the *.hta is opened.  We can draw an executable
into the TIF via the image tag (though it numbers), and also by the
bgsound tag (which is not numbered).

The main problem lies in the fact that we can dictate the icon which has
always been a goal of VX community to dupe recipients. Furthermore the
fact that there are not legitimate header informations for content
filtering and security application screening of attachments etc. is
equally problematic.

Tested on IE5.5. and OE5.5. win98, fully patched and updated with all
so-called service packs.

Notes:

1. There is still the security warning with opening the file. However
the icon representing the content type should override, most if not
all's concern.

2. The actual file extension (*.hta in this case) seems to have to
appear in the security warning dialogue box, you can see it at the very
end to execute. If the subject length is too long, it creates an odd
*.tx file which calls up 'what do you want to open this with [something
to this effect]' system requirement.

3. This appears to be somewhat similar to something examined several
months ago:

Where's Temp!


Submitted Wednesday,17 January, 2001 to BUGTRAQ

http://www.securityfocus.com/bid/2260

This all then begs the question:CONTENT.filtering?






--
        
        
        Kevin van der Raad <mailto:k.van.der.raad () itsec nl>
        
        ITsec Nederland B.V. <http://www.itsec.nl>
        Informatiebeveiliging
        Exploit & Vulnerability Alerting Service
        
        P.O. box 5120
        NL 2000 GC Haarlem
        Tel +31(0)23 542 05 78
        Fax +31(0)23 534 54 77


--

ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Unchecked buffer in Outlook Newsreader: subject field overflows at 256 characters Gerrie (Mar 18)
- Re: Unchecked buffer in Outlook Newsreader: subject field overflows at 256 characters Allard Hoeve (Mar 20)
- Re: Unchecked buffer in Outlook Newsreader, Re: Local Bufferoverflow in OutlookExpress Kevin van der Raad (Mar 22)