[Esa-l] John, does your filter catch this?

Wed Jul 19 00:52:28 PDT 2000

This exploit is nasty.

--Brett

>Approved-By: aleph1 at SECURITYFOCUS.COM
>Delivered-To: bugtraq at lists.securityfocus.com
>Delivered-To: bugtraq at securityfocus.com
>X-Security: Warning! Do not open files attached to e-mail if you do not
>        have an up-to-date virus protection program or did not expect to
>        receive them. Even if the message is from someone you know, an
>        attachment can contain a virus sent without his or her knowledge.
>Importance: Normal
>Date:         Wed, 19 Jul 2000 20:02:27 +1000
>Reply-To: Aaron Drew <ripper at HOTKEY.NET.AU>
>Sender: Bugtraq List <BUGTRAQ at SECURITYFOCUS.COM>
>From: Aaron Drew <ripper at HOTKEY.NET.AU>
>Subject:      Buffer Overflow in MS Outlook Email Clients
>To: BUGTRAQ at SECURITYFOCUS.COM
>
>_______________________________________________________________
>
>Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients
>
>Date:                   18th July 2000
>Author:                 Aaron Drew (mailto:ripper at wollongong.hotkey.net.au)
>Versions Affected:      MS Outlook 97/2000 and MS Outlook Express 4/5
>
>_______________________________________________________________
>
>A bug in a shared component of Microsoft Outlook and Outlook Express mail
>clients can allow a remote user to write arbitrary data to the stack. This
>bug has been found to exist in all versions of MS Outlook and Outlook
>Express on both Windows 95/98 and Windows NT 4.
>
>The vulnerability lies in the parsing of the GMT section of the date field
>in the header of an email. Bound checking on the token representing the GMT
>is not properly handled. This bug can be witnessed by opening an email with
>an exceptionally long string directly preceding the GMT specification in
>the Date header field such as:
>
>Date: Fri, 13 July 2000 14:16:06 +1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>The bug lies in the shared library INETCOMM.DLL and has been successfully
>exploited on Windows 95, 98 and NT with both Outlook and Outlook Express.
>
>The execution of this code is performed differently under each client. Under
>Outlook Express, the buffer overflow occurs as soon as the user tries to
>view the mail folder containing email with a malicious date header. Under
>Microsoft Outlook, the overflow occurs when attempting to preview, read,
>reply or forward any email with a malicious date header. Under MS Outlook a
>user may delete or save an email to disk without exploitation.
>
>Whilst some mail transport systems seem to modify 8-bit header data or lines
>over 70 characters in length preventing direct exploitation, these
>restrictions seem to be avoided by encoding a message with an exploit date
>field as a MIME attachment in a Outlook's MIME attached message format.
>These messages also overflow the stack when read, previewed, replied to or
>forwarded.
>
>Microsoft was notified of this bug on July 3.
>
>Attached is a proof-of-point exploit that, when placed in the header
>field of a message or MIME attached message, will download and execute
>an executable from the web. (In this particular case it will launch MS Freecell)
>
>_______________________________________________________________
>
>DISCLAIMER
>
>The information within this document may change without notice. Use of
>this information constitutes acceptance for use in an AS IS
>condition. There are NO warranties with regard to this information.
>In no event shall the author be liable for any consequences whatsoever
>arising out of or in connection with the use or spread of this
>information. Any use of this information lays within the user's
>responsibility.
>
>_______________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Buffer Overflow in MS Outlook E
Type: application/octet-stream
Size: 532 bytes
Desc: not available
Url : http://ga.impsec.org/pipermail/esd-l/attachments/20000719/935540e8/BufferOverflowinMSOutlookE.obj