COMMAND
MS patch Q292108
SYSTEMS AFFECTED
Outlook Express
PROBLEM
Juan Carlos G. Cuartango found following. Last MS patch Q290108
released with the bulletin MS01-020 opens a new vulnerability. A
tricked EML file can confuse the user displaying him a fake
downlodaded file name. Executable files can be disguised as other
supposedly inocent files (text, sound or images). Demo is
available in:
http://www.kriptopolis.com/cua/20010404.html
Jesus Lopez de Aguileta has also found the same this vulnerability
in the same time.
The short version of this: If we try to open a MP3 file remotely,
and we actually execute a Word Macro Document or even a full
fledged install of BackOrifice, we are the victim of a security
hole: Our ruleset for choosing what to download was tricked; the
trust we applied to one format(MP3) was used upon another(EXE,
DOC). The rest of this is essentially a quick refresher in
security theory for whoever at MS argued that "querying the user,
even with a spoofed query, means no security hole.", along with a
surprising connection to bioethics.
Essentially, there's a simple rule of browser security that states
that explicitly asking the user to authorize a transaction with an
informed set of validated security parameters is more secure than
simply having a default list of parameters that must be satisfied
and automatically accepting if that list is accepted.
Paul Schmehl added following. In the interest of full disclosure,
and because Microsoft has given us the exact same answer to
*this*, a buffer overflow exists in the subject line buffer of
Outlook Express, versions 5.0.x.x and 5.50.x.x. This overflow is
exploitable (in the latter version) with the same EML content
spoofing being discussed in the previous thread.
One of his techs, Su Wadlow, did some testing after they had
problems with Outlook Express clients crashing when trying to read
a certain VP's email. (He likes to send email with excessively
long subject lines, such as the entire first paragraph of his
email message.)
If a subject line with more than 256 characters is constructed, OE
will overflow and crash (ver 5.0.x.x) or construct an attachment
out of the message body (OE 5.50.x.x). (Su read a post in
vuln-dev discussing a buffer overflow in the news reader of OE,
and putting two and two together decided that must be what was
happening in OE's subject line. He asked her to do some testing,
and she found that the buffer could be overflowed inconsistently
with as few as 161 characters [no determination as to cause other
than length] and consistently with 256 characters.)
This bug was identified and posted on malware.com's site in
January of this year. Malware.com claims this bug exists in
Outlook as well, but we have been unable to reproduce that.
If you visit the malware.com site
http://www.malware.com/dropper.html
you will find some proof of concept exploits that demonstrate how
this bug can be exploited to run any application you want on the
victim's machine by "fooling" them with a fake icon. (This would
only work in the later versions. Ver. 5.0.x.x will crash. Didn't
test any older versions such as 4.x). Something similar can be
found under:
htpp://oliver.efri.hr/~crv/security/bugs/NT/olook20.html
Philip Stoev confirmed this on a W2K SP1 with IE 5.5 SP1+Q290108.
The interesting thing is that the Open/Save As dialog box says
just "readme.txt from", without displaying the host name. This
can serve as a warning to paranoid users.
This is clearly a dialog box trick, as the "Always ask before
opening this type of file" checkbox is both checked and disabled,
which is the behavoir for executables, and not for .TXT files.
SOLUTION
The issue was reported to MS on 22 february and they argue: this
is not a vulnerability as far as It involves a use decision.