-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
.---------------.
/ NtWaK0 Bugs \
+-----------------------------------------------------------------------.
Affected : Outlook 2000 and maybe others :
Type : Create any file type by sending a body message that :
: contain begin 666 filename.exe or filename.whatever :
Date : 23-03-2002 :
Author : NtWaK0 @ www.SafeHack.com :
+-----------------------------------------------------------------------.
+----------------------------------.
Create Attachement Using begin 666 \
+------------------------------------`----------------------------------.
+-----------. :
Disclaimer \ :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on :
experiments though it may be false. The opinions expressed in this :
advisory and program are my own and NOT of any company. :
In Fact I do not work for no one at the present time. :
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
+-------. :
T.O.C. \ :
+---------`-------------------------------------------------------------.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 47 ]:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 82 ]:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 195 ]:
:
+-------------. :
Brief History \ :
+---------------`-------------------------------------------------------.
Follow up on the first post. :
:
After testing a bit more the beging uucode. I found that not only :
begin 666 will create an attachement file But any header that follow :
uucode standard. :
:
I have attacked an extract of uucode defenition below. :
:
The body of the message start with the word "begin 666" followed by :
any filename you like to create. :
This sequence of characters is identical to that of the header for a :
file attachment that is encoded in UUencode format. :
:
:
For this reason, the message is incorrectly interpreted as an encoded :
attachment. :
:
This problem only occurs in messages that you receive in plain text :
format. :
:
This problem maybe occurs in Microsoft Outlook express too I did not :
test it... I am going to do more tests using the begin something. :
:
This can lead to bigger problem. I just hope that microsoft work on it :
whenever they can. :
But if one line message body can create an attachement this of course :
does not lead to a SECURE mail client. :
:
:
:
+---------------------------+ :
>>> Test OS Applications <<< :
+---------------------------+ :
Tested on Windows 2K with outlook 2000 and patchs :
:
+-----------. :
The Problem \ :
+-------------`---------------------------------------------------------.
The body of the message starts with the word "begin" followed by one :
space and the application that you like to RUN. :
:
I have tried begin and two spaces and this did not lead to attachement :
creation. As mentioned in at MS site at the following URL: :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q265230 :
:
But I was able to create attachement by sending begin 666 filename.exe :
See detail below. :
[Extracted From http://www.fht-esslingen.de/~clfuit00/sasnt/uucode/ ]
UUENCODE(5)
NAME
uuencode - format of an encoded uuencode file
DESCRIPTION
Files output by uuencode(1) consist of a header line, fol
lowed by a number of body lines, and a trailer line. The
uudecode(1) command will ignore any lines preceding the
header or following the trailer. Lines preceding a header
must not, of course, look like a header.
The header line is distinguished by having the first 6
characters begin The word begin is followed by a mode (in
octal), and a string which names the remote file. A space
separates the three items in the header line.
The body consists of a number of lines, each at most 62
characters long (including the trailing newline). These
consist of a character count, followed by encoded charac
ters, followed by a newline. The character count is a
single printing character, and represents an integer, the
number of bytes the rest of the line represents. Such
integers are always in the range from 0 to 63 and can be
determined by subtracting the character space (octal 40)
from the character.
Groups of 3 bytes are stored in 4 characters, 6 bits per
character. All are offset by a space to make the charac
ters printing. The last line may be shorter than the nor
mal 45 bytes. If the size is not a multiple of 3, this
fact can be determined by the value of the count on the
last line. Extra garbage will be included to make the
character count a multiple of 4. The body is terminated
by a line with a count of zero. This line consists of one
ASCII space.
The trailer line consists of end on a line by itself.
SEE ALSO
uuencode(1), uudecode(1), uusend(1), uucp(1), mail(1)
HISTORY
The uuencode file format appeared in BSD 4.0 .
:
================ :
>>> Proof-Of-Concept <<< :
================ :
:
Test # 00 :
========= :
Send your self a mail with a subject whatever you like. :
In the body type: begin 666 notepad.exe :
Click Send :
:
Check your mail. Now you should have a mail with ATTACHEMENT. :
The attackement will be NOTEPAD.EXE. :
:
If you have your outlook set to stop .exe that mail will be rejected :
and you will get "Outlook has blocked access to Notepad.exe. :
:
I have no idea why the file was Created. I just used normal text :). :
:
Test # 01 :
========= :
I have done another test with a message body: :
begin 666 testtttttttttttttttttttttttttttttt.txt :
This will create a file called testtttttttttttttttttttttttttttttt.txt. :
as attachement. The file is empty if you try to open it. :
:
Test # 02 :
========= :
I created a file mail with a message body: :
begin 666 testttttttttttttttttttttttttttttttttttttttttttttttttttttttttt-:
tttt.txt :
:
This did not create an attachment So their is a limite to the text :
size. :
:
Test # 03 :
========= :
begin 666 testttttttttttttttttttttttttttttttttttttttttttttttttttttttttt-:
tt.txt :
This created an attachement with a filename : :
testttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt.txt :
:
Imagine someone spam your mail server with Only one line body message :
example begin 666 virus.exe :
I am not sure if your ANTI-VIRUS protection wont be over-Booked. :
:
This bug is similar to but not the Same AT ALL. :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q265230 :
:
+------------. :
The Solution \ :
+--------------`--------------------------------------------------------.
This mail was sent to the Vendor too (Microsoft) :
+-----------------------------------------------------------------------.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPJ3O4fPoW9fFNsN8EQLdjwCdGMRchyJGO2HlDP+7TNkTgpXaZyYAnjBb
fjv+7zcZY4RsUcWIeN5JxRh2
=b3Sy
-----END PGP SIGNATURE-----
________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good www.SafeHack.com |
Je Pense, Donc Je Suis \(|)/
--(")--
/`\ NtWaK0
________________________________________________________________________
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow -=-
This archive was generated by hypermail 2b30 : Sun Mar 24 2002 - 08:24:01 PST