Outlook Express Remote Code Execution in Preview Pane (S/MIME)

From: Aviram Jenik (aviramat_private)
Date: Thu Oct 10 2002 - 15:09:25 PDT

Next message: Dirk Mueller: "KDE Security Advisory: KGhostview Arbitary Code Execution"

Previous message: Olaf Schulz: "[VulnWatch] Apache Tomcat 3.x and 4.0.x: Remote denial-of-service vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Outlook Remote Code Execution in Preview Pane (S/MIME)
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/windowsntfocus/6D00B005PU.html


SUMMARY

The S/MIME standard attempts to raise the level of trust of email
messages by enabling users to digitally sign their messages and so the
receiver can verify the authenticity of the received message.

However, sometimes an added security feature can open up dangerous
security hole; a security vulnerability in the way Outlook handles
S/MIME certificates causes it to execute arbitrary code when inspecting
a malformed S/MIME signed message.

DETAILS

Vulnerable versions:
Outlook Express version 5.50
Outlook Express version 6.0

Immune versions:
Outlook Express 5.5 SP2
Outlook Express 6.0 SP1 (included in Windows XP SP1)
Microsoft Outlook


S/MIME has been implemented in Outlook Express in accordance to RFC 2311
(http://www.ietf.org/rfc/rfc2311.txt?number=2311). As the RFC states, an
error message should be displayed whenever the "From" field of the
letter does not match that of the S/MIME RFC822 Name (in our example it
will be noamrat_private).

The following error message will be displayed whenever such an incident
occurs (The fake email address has been set to "Fake"):

-----------------------------------
Security Warning 
 
There are security problems with this message.
Please review the highlighted items listed below:  

(V) Message has not been tampered with 
(V) You do trust the signing digital ID 
(V) The digital ID has not expired 
(X) The digital ID's e-mail address does not match sender's 
 Signer: noamrat_private 
 Sender: Fake
(V) The digital ID has not been revoked or revocation information for
this 
certificate could not be determined. 
(V) There are no other problems with the digital ID 
-----------------------------------


Ironically, this message warning is where the vulnerability lies. An
overflow in the code that tries to place the sender's email address in
the message allows arbitrary code execution, which is triggered whenever
a user views the message. Watching it in the preview pane is sufficient
to trigger the overflow.

Vendor response:
Microsoft has responded promptly and the fix was included in Service
Pack 1 for Windows XP released a few weeks ago.
A patch for other systems is available at:

http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.a
sp.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:noamrat_private>
Noam Rathaus.

Next message: Dirk Mueller: "KDE Security Advisory: KGhostview Arbitary Code Execution"
Previous message: Olaf Schulz: "[VulnWatch] Apache Tomcat 3.x and 4.0.x: Remote denial-of-service vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 10:23:13 PDT