RE: Outlook makes 99% CPU Usage with this message

From: DePriest, Jason R. (jrdepriestat_private)
Date: Wed Aug 29 2001 - 12:38:11 PDT

  • Next message: Rich Corbett: "RE: Outlook makes 99% CPU Usage with this message"

    No problems with Outlook 2000 SR-1 (9.0.0.3821) running on Microsoft Windows
    NT Workstation 4.0 SP6a (build 1381) with IE 5.01 SP2 (5.00.3314.2101) and
    the following hotfixes installed: Q147222, Q246009, Q249973, Q252463,
    Q299444.
    
    Although, if I have the message open and go under Format and change it to
    "Plain Text", the asterisks show up (as expected).
    The strange thing is that it puts a ">" at the beginning of each line that
    was previously invisible.
    
    -Jason
    
    -----Original Message-----
    From: Kayne Ian (Softlab) [mailto:Ian.Kayneat_private]
    Sent: Wednesday, August 29, 2001 10:19 AM
    To: Vuln-Dev
    Subject: Outlook makes 99% CPU Usage with this message
    
    
    Hey all,
    	This is a strange one. I've been hashing this about for a while, and
    come up with the following. In the attached zip is a message saved out in
    Outlook normal message format. You can open, read, close, forward etc this
    message absolutely fine. But when you try and click reply, it immediately
    sends Outlook to 100% CPU usage, and it doesn't come back. I have no idea
    why, but it seems to be outlook getting confused with the message body - if
    you hex the .msg file you'll see 2 lines of asterixes that are not displayed
    (and no, it's not cause they are white text on white background, you should
    still be able to highlight them, but they just arent there).
    
    	Now, this crashes my Outlook every time. Thats Outlook 2k
    v9.0.0.3821 running on Win2k Pro. It's crashed a few other ppls outlooks,
    but strangely on some Outlooks (same version as mine) it has no effect. I'm
    wondering if it's to do with a certain combination of patches etc installed.
    
    	So, 2 things for you guys. Firstly, do the following:
    
    1. Exit outlook
    2. Unzip the .msg file from the zip
    3. Load outlook
    4. Double click the .msg file from explorer or somwhere
    5. Click the Reply button
    
    It should crash Outlook immediately. The Exit/Load outlook thing is
    important.
    
    	Secondly, if that doesn't crash, see if you can see 2 rows of *'s
    around the disclaimer. If you save the message as rtf or plain text, or hex
    dump the .msg the asterixes are there. But not when you view the message in
    Outlook. I have no idea of the format of a .msg file, so maybe someone else
    with more experience with this stuff can help?
    
    	Anyway, I can't garantee it will work, and that it's not just my
    machines being screwy. But if it does work, and maybe if it's exploitable,
    it's pretty damn nasty. An invisible exploit in a plain message with no
    attachment that only needs a click on Reply to work? Ouch.
    
    Ian Kayne
    Technical Specialist - IT Solutions
    Softlab Ltd - A BMW Company
    
     <<Test.zip>> 
    
    
    ******************************************************************** 
    This email and any files transmitted with it are confidential and 
    intended solely for the use of the individual or entity to whom 
    they are addressed. 
    
    If you are not the intended recipient or the person responsible for 
    delivering to the intended recipient, be advised that you have received 
    this email in error and that any use of the information contained within 
    this email or attachments is strictly prohibited. 
    
    Internet communications are not secure and Softlab does not accept 
    any legal responsibility for the content of this message. Any opinions 
    expressed in the email are those of the individual and not necessarily 
    those of the Company. 
    
    If you have received this email in error, or if you are concerned with 
    the content of this email please notify the IT helpdesk by telephone 
    on +44 (0)121 788 5480. 
    
    ********************************************************************
    



    This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 13:12:33 PDT