Buffer over flow on Outlook express for Macintosh

From: Shikap (shikapat_private)
Date: Sun Dec 02 2001 - 23:34:27 PST

  • Next message: Vade 79: "(BSDi/4.0-specific)uucp family exploit. (uucp/uuparams/uuname)" 

       ---------------------------------------------------------------------
   Buffer over flow on Outlook express for Macintosh
   Problem first discoverd:2001.7.26
   Discoverd by: awacs@hawkeye
   Published: 2001.12.03
   ---------------------------------------------------------------------
   Description:
   Outlook express for Macintosh is mail client developed by Microsoft.

   This mail client have problem about body strings handling,
   and buffer over flow occers when handle long strings without return code.

   When recieved mail, if mail contains long line, this mail client down
   and couldn't send order, "DELE" to pop3 server.
   So, once problem occerred, until user or administrator delete this mail,
   (s)he can't recieve mail anyway.
   It's similar to DoS attack.

   Tested version :
   Affected version    :Outlook express5.0, 5.01, 5.02
   not affected version:Outlook express5.03

   Vender status :
   Microsoft was fixed this problem at 5.03 English version.
   Other language version is under constract.(can use English version :-)

   Solution:
   Use Outlook express 5.03

   Details:
   On June 26,2001,I recieved mail from bugtraq, and my outlook crashed.
   I checked this problem, and found it.
   Mail was listed below.
   http://www.securityfocus.com/archive/1/199251

   You may find this mail contains long line.(just shellcode :-)

   Registers listed below.

                         CR0  CR1  CR2  CR3  CR4  CR5  CR6  CR7
  PC  = 395C7838     CR  0010 1010 0000 0000 0000 0000 1000 0010
  LR  = 395C7839         <>=O XEVO
  CTR = 0B04F8B0
  MSR = 00000000         SOC Compare Count
  Int = 0            XER 000   00     00                     MQ  = 00000000
  
  R0  = 395C7839     R8  = 00000000      R16 = 00000000      R24 = 385C7862
  SP  = 0A148B10     R9  = 00000000      R17 = 0A09CC40      R25 = 665C7864
  TOC = 09FC71C0     R10 = 00000020      R18 = 00000001      R26 = 395C7839
  R3  = 00000000     R11 = 00000000      R19 = 00000001      R27 = 395C7833
  R4  = 09ECCCBD     R12 = 09FBB960      R20 = 0A0A065C      R28 = 345C7863
  R85  = 09FBCD5C     R13 = 0A148FC4      R21 = 0A148EBC      R29 = 395C7831
  R6  = 00000045     R14 = 00278D00      R22 = 345C7832      R30 = 345C7832
  R7  = 09FBCB5C     R15 = 0A148EF0      R23 = 635C7863      R31 = 635C7863

   PC pointed 0x395C7838(9\x8).
   Next, Stack listed.

  0A148B10  305C 7862 665C 7864  395C 7839 395C 7833  0\xbf\xd9\x99\x3
  0A148B20  345C 7863 395C 7836  365C 7830 635C 7839  4\xc9\x66\x0c\x9
  0A148B30  335C 7862 635C 7864  395C 7839 395C 7866  3\xbc\xd9\x99\xf
  0A148B40  335C 7839 395C 7831  345C 7832 345C 7866  3\x99\x14\x24\xf
  0A148B50  635C 7862 665C 7864  395C 7839 395C 7863  c\xbf\xd9\x99\xc
  0A148B60  655C 7866 335C 7839  395C 7866 335C 7839  e\xf3\x99\xf3\x9
  0A148B70  395C 7866 335C 7839  395C 7831 345C 7832  9\xf3\x99\x14\x2
  0A148B80  635C 7837 305C 7862  635C 7864 395C 7839  c\x70\xbc\xd9\x9

   You can find this strings in mail listed above.
   So I think evil user can rewrite PC easily.
   But, SMTP protocol allow 7bit-clean string, so it's difficult for evil 
   user to make a exploit code, I think.
   #and Macintosh have no cmd.exe ;-)

   Acknowledgement :
   Thank Alex, Scott and Christopher.
   Thank all staff who coped with this problem in Microsoft.

   Disclaimer:
   You will copy, distribute and publish this content,so long as you
   change nothing except typo.
   
   
   _________________________________________________________________

    This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 14:25:03 PST