-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 0 10 20 30 40 50 60 70 80 90 100 |----|----|----|----|----|----|----|----|----|----| ................................................... .---------------. / NtWaK0 Bugs \ +-----------------------------------------------------------------------. Affected : Outlook 2000 and maybe others : Type : Create any file type by sending a body message that : : contain begin 666 filename.exe or filename.whatever : Date : 23-03-2002 : Author : NtWaK0 @ www.SafeHack.com : +-----------------------------------------------------------------------. +----------------------------------. Create Attachement Using begin 666 \ +------------------------------------`----------------------------------. +-----------. : Disclaimer \ : +-------------`---------------------------------------------------------. The information in this advisory is believed to be true based on : experiments though it may be false. The opinions expressed in this : advisory and program are my own and NOT of any company. : In Fact I do not work for no one at the present time. : : This material is presented for informational and entertainment purposes : only, and to satisfy the curious. Any activities described in this file : which involve vandalism, theft, or any other illegal activities are : recounted from third-party conversations. I do not condone or encourage : vandalism or theft. I do not accept any liability for anything anyone : does with this information. : Remember: Use a computer in ways that ensure respect for your fellows. : : +-------. : T.O.C. \ : +---------`-------------------------------------------------------------. : : [ Brief History . . . . . . . . . . . . . . . . . . . . . .line 47 ]: : [ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 82 ]: : [ The Solution . . . . . . . . . . . . . . . . . . . . . .line 195 ]: : +-------------. : Brief History \ : +---------------`-------------------------------------------------------. Follow up on the first post. : : After testing a bit more the beging uucode. I found that not only : begin 666 will create an attachement file But any header that follow : uucode standard. : : I have attacked an extract of uucode defenition below. : : The body of the message start with the word "begin 666" followed by : any filename you like to create. : This sequence of characters is identical to that of the header for a : file attachment that is encoded in UUencode format. : : : For this reason, the message is incorrectly interpreted as an encoded : attachment. : : This problem only occurs in messages that you receive in plain text : format. : : This problem maybe occurs in Microsoft Outlook express too I did not : test it... I am going to do more tests using the begin something. : : This can lead to bigger problem. I just hope that microsoft work on it : whenever they can. : But if one line message body can create an attachement this of course : does not lead to a SECURE mail client. : : : : +---------------------------+ : >>> Test OS Applications <<< : +---------------------------+ : Tested on Windows 2K with outlook 2000 and patchs : : +-----------. : The Problem \ : +-------------`---------------------------------------------------------. The body of the message starts with the word "begin" followed by one : space and the application that you like to RUN. : : I have tried begin and two spaces and this did not lead to attachement : creation. As mentioned in at MS site at the following URL: : http://support.microsoft.com/default.aspx?scid=kb;EN-US;q265230 : : But I was able to create attachement by sending begin 666 filename.exe : See detail below. : [Extracted From http://www.fht-esslingen.de/~clfuit00/sasnt/uucode/ ] UUENCODE(5) NAME uuencode - format of an encoded uuencode file DESCRIPTION Files output by uuencode(1) consist of a header line, fol lowed by a number of body lines, and a trailer line. The uudecode(1) command will ignore any lines preceding the header or following the trailer. Lines preceding a header must not, of course, look like a header. The header line is distinguished by having the first 6 characters begin The word begin is followed by a mode (in octal), and a string which names the remote file. A space separates the three items in the header line. The body consists of a number of lines, each at most 62 characters long (including the trailing newline). These consist of a character count, followed by encoded charac ters, followed by a newline. The character count is a single printing character, and represents an integer, the number of bytes the rest of the line represents. Such integers are always in the range from 0 to 63 and can be determined by subtracting the character space (octal 40) from the character. Groups of 3 bytes are stored in 4 characters, 6 bits per character. All are offset by a space to make the charac ters printing. The last line may be shorter than the nor mal 45 bytes. If the size is not a multiple of 3, this fact can be determined by the value of the count on the last line. Extra garbage will be included to make the character count a multiple of 4. The body is terminated by a line with a count of zero. This line consists of one ASCII space. The trailer line consists of end on a line by itself. SEE ALSO uuencode(1), uudecode(1), uusend(1), uucp(1), mail(1) HISTORY The uuencode file format appeared in BSD 4.0 . : ================ : >>> Proof-Of-Concept <<< : ================ : : Test # 00 : ========= : Send your self a mail with a subject whatever you like. : In the body type: begin 666 notepad.exe : Click Send : : Check your mail. Now you should have a mail with ATTACHEMENT. : The attackement will be NOTEPAD.EXE. : : If you have your outlook set to stop .exe that mail will be rejected : and you will get "Outlook has blocked access to Notepad.exe. : : I have no idea why the file was Created. I just used normal text :). : : Test # 01 : ========= : I have done another test with a message body: : begin 666 testtttttttttttttttttttttttttttttt.txt : This will create a file called testtttttttttttttttttttttttttttttt.txt. : as attachement. The file is empty if you try to open it. : : Test # 02 : ========= : I created a file mail with a message body: : begin 666 testttttttttttttttttttttttttttttttttttttttttttttttttttttttttt-: tttt.txt : : This did not create an attachment So their is a limite to the text : size. : : Test # 03 : ========= : begin 666 testttttttttttttttttttttttttttttttttttttttttttttttttttttttttt-: tt.txt : This created an attachement with a filename : : testttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt.txt : : Imagine someone spam your mail server with Only one line body message : example begin 666 virus.exe : I am not sure if your ANTI-VIRUS protection wont be over-Booked. : : This bug is similar to but not the Same AT ALL. : http://support.microsoft.com/default.aspx?scid=kb;EN-US;q265230 : : +------------. : The Solution \ : +--------------`--------------------------------------------------------. This mail was sent to the Vendor too (Microsoft) : +-----------------------------------------------------------------------. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPJ3O4fPoW9fFNsN8EQLdjwCdGMRchyJGO2HlDP+7TNkTgpXaZyYAnjBb fjv+7zcZY4RsUcWIeN5JxRh2 =b3Sy -----END PGP SIGNATURE----- ________________________________________________________________________ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ____________________________________________________________.___________ Live Well Do Good www.SafeHack.com | Je Pense, Donc Je Suis \(|)/ --(")-- /`\ NtWaK0 ________________________________________________________________________ ________________________________________________________________________ -=- Use a computer in a ways that ensure respect for your fellow -=-
This archive was generated by hypermail 2b30 : Sun Mar 24 2002 - 08:24:01 PST