COMMAND
MS Outlook (98 and Express), Netscape Mail & Eudora, etc (see below)
SYSTEMS AFFECTED
Win 9.x, NT, Solaris 2.x, Caldera, HP, NetBSD
PROBLEM
A buffer overrun has been detected in Outlook Express
(v4.72.2106.4 & v4.72.3110.1), and Netscape Mail (v4.05 & 4.5b1).
So far only the Macintosh versions have proven unaffected. Ari
Takanen and Marko Laakso of the Finnish Oulu University Secure
Programming Group discovered it back in late June. They have been
working closely with AUSCERT and the vendors. CIAC, and
COAST/CERIAS (via Gene Spafford) have also been involved.
The exploit method is slightly different in the two different
products (MS versus NS), but it centers around the malicious use
of tags used to identify an attachment. The attachment itself is
not relevant, its contents need not contain any exploit. The tags
that identify the attachment contain the exploit code. Therefore,
the exploit code can be invoked without actually opening the
attachment itself (and in at least one test scenario, without even
opening the message!). When Outlook 98 attempts to download a
message with a file attachment that has a filename greater than a
certain length, Outlook could terminate unexpectedly. The user
does not have to open the attachment in order for this to occur.
This issue will only occur if Outlook 98 is installed with an
Internet Mail Only configuration, or with an Internet Mail service
in the Corporate/Workgroup configuration. When the user attempts
to open an attachment in the Outlook 98 newsreader and the
attachment has a filename longer than a certain number of
characters, the client could crash. When the user attempts to
open an attachment in Outlook Express mail or news client and the
attachment has a filename longer than a certain number of
characters, the client could terminate unexpectedly.
The exploit has been demonstrated in email and news, and has been
confirmed by both Microsoft and Netscape. COAST has suggested that
Eudora is thus far unaffected by the same problem. There are too
many possible avenues of exploit to document here, and many have
not yet been tested. Attachment type does not appear to matter,
so it could as easily be done with a .txt file as a .gif, or .doc,
or .zip. Thus far there is no demonstration exploit available in
the wild, but its likely that such a program will appear. As long
as affected versions of the exploitable software continue to exist
(and there is enough of them around to say they'll likely exist
for a long time, like the version shipped with Windows '98), the
chances of a new Internet Worm loom over our heads.
The exploit does work on Windows NT, as well as Windows '95/'98,
and with Outlook Express on Solaris 2.x. Microsoft indicated they
found an issue with Outlook '98 also, look for details of this in
their bulletin.
Ryan Veety added following. There have been a few posts about
overflows in MS Outlook, but they have not told exactly where in
the message the overflow exists. He found one of them, within the
description of an attachment. If the filename given is very large,
it makes Outlook crash. This was tested on Outlook v4.72.2106.4
on NT 4.0, and on win95. In both cases it reported an error at
address 0x41414141 (41 == hex A). Here is the message that caused
the errors:
From: <From address here>
To: <To address here>
Subject: test
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="204-1969819122-901726347=:19806"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--204-1969819122-901726347=:19806
Content-Type: TEXT/PLAIN; charset=US-ASCII
test
--204-1969819122-901726347=:19806
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Don't read this text file
--204-1969819122-901726347=:19806--
To send the message, save it to a file, set the to: and from:, and
run "sendmail -t < fileyousaved". It causes Outlook to crash
when the user attempts to open or save the file. There are many
of these overflows in the attachment discriptors. This one
requires the user to open the attachment, but similar overflows
may not.
Phillip R. Jaenke confirmed this breaks popclient, presumably
fetchpop. They apparently parse the headers completely when
writing to a file (-o option). Basically, popclient/fetchpop,
when outputting, parse ALL headers. No matter WHERE they are.
Example;
From: Bob Dobbs <thealmighty@subgenius.com>
To: popclient luser <luser@pop.luser.com>
Subject: haha.
lalalalaaaa... alalalalaaa
RandomHeader: AAAAAAAAAAAAAAA<etc, etc>
popclient/fetchpop will parse this incorrectly, resulting in an
attempt to delete a message which does not exit. popclient will
then segfault. Pine appears to have no problems with headers in
messages tho.
As for Eudora, Brett Glass said there may be trouble too. Create
a message with a file attachment and sent it to yourself. Edit
your mail file on the UNIX server that handles your mail,
replacing the file name with about 520 characters' worth of
"1234567890". If polled with Eudora Pro 4.0.1 when the message
came in, it will be garbled and the MIME header with the gigantic
file name will appear in the body of the message when it should
not have done so. The huge file name will be displayed next to an
icon, but clicking on the icon will not bring up the attached
file; it will generate an error message instead. When deleted
the message, the attachment will not be deleted with it as it
should have been. After continued use of the mail client it will
shortly thereafter GP fault.
As for next link, read this:
1. The file is zipped. In order for you to execute this trojan,
you will have to willing follow several steps, and therefore
can not claim that you did so on acccident.
2. There is no link on a web page to this file, it cannot be found
without knowing the link. We disclaim any responsibility for
others linking to this file. This was done intentioanlly, so
that only people who read this note would know where the file
is, and would therefore be warned about the consequences. You
*MAY NOT* download this file without reading this entire note.
Downloading and/or executing or unzipping this file constitutes
agreement that you have read this note, and have been warned of
the behavior of the trojan program. We claim no responsibility
for any damages caused by it.
3. This program intentionally performs actions that could be
considered damaging or hostile, to your system and to other
systems. We claim no responsibility for any actions taken by
this program. Failure to properly isolate this program may
result in your system attacking other systems, and legal
action may be taken against you.
Finally, here is the URL:
http://ntbugtraq.ntadvice.com/download/ie080898.zip
SOLUTION
Netscape have said that the fix for Netscape Mail will be included
in their v4.06 release, due out around August 7th. See:
http://www.netscape.com/products/security/resources/bugs/longfile.html
To get the update for Microsoft Outlook 98 for Windows '95,
Windows '98 & Windows NT, see
http://support.microsoft.com/support/msfe
1. On the Microsoft File Exchange page, click "Click Here to
Receive a file from a Microsoft Technical Support engineer
via your web browser."
2. On the "Receiving Files From MFSE" page, type OLMIME in the
box, and click Continue
3. The name of the file is outpatch.exe
This patch will work for all language versions of Microsoft
Outlook 98. If you use the Outlook 98 newsreader, you must also
install the update for Outlook Express noted below.
If you are using Outlook Express 4.0 that comes with Internet
Explorer 4.0, you must upgrade to Internet Explorer 4.01 in order
to apply this update. You can upgrade to Internet Explorer 4.01
with Service Pack 1 for IE. To get the update for Microsoft
Outlook Express 4.01 for Windows '95, Windows '98 & Windows NT,
see:
http://www.microsoft.com/ie/security/oelong.htm
http://www.microsoft.com/outlook/enhancements/outptch2.asp
The update for Microsoft Outlook Express 4.01 for the Macintosh &
Solaris will be released shortly, please visit:
http://www.Microsoft.com/security
Customers who cannot apply the hot fix to Outlook Express can use
the following workaround to temporarily address this issue. For
Outlook Express people who get attachments in e-mail should NOT
click on the attachment. They should save the attachment to their
hard drive and then view the attachment using the Windows
Explorer.
Caldera Inc.
============
Caldera is currently investigating these issues and in the
process of releasing a fix. Updated RPMs will be uploaded to:
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011
Hewlett-Packard Company
=======================
The version of dtmail supplied by HP, as part of HP's CDE
product, is vulnerable. This applies to HP9000 Series 7/800
running HP-UX releases 10.10, 10.20, 10.24, 10.30, and 11.00
only. Install the patches listed below:
HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150
HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147
HP-UX release 10.24 HP9000 Series 7/800 PHSS_16197
HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151
HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148
NetBSD Foundation
=================
The NetBSD Foundation package system contains packages for mutt
and pine. All users should upgrade to the latest version of these
packages as soon as possible. Updated binary packages will become
available on the NetBSD FTP server as soon as possible, and will
be announced on the netbsd-announce@netbsd.org list.
The Santa Cruz Operation, Inc. (SCO)
====================================
SCO UnixWare 7 dtmail may be vulnerable - investigation is
continuing. Pending this investigation, SCO recommends that
dtmail not be used on UnixWare 7; mail may be safely read
using mailx or Netscape Navigator.
Sun Microsystems, Inc.
======================
The following patches are available in relation to the above
problem:
SunOS Patch ID
_____ _________
SunOS 5.6 106650-01
106648-01
106649-01
SunOS 5.6_x86 106659-01
106657-01
106658-01
SunOS 5.5.1 104093-05
106662-01
106663-01
SunOS 5.5.1_x86 105127-02
106664-01
106665-01
SunOS 5.5 102839-05
106666-01
106667-01
SunOS 5.5_x86 102840-04
106668-01
106669-01
SunOS 5.4 101880-13
106671-02
106672-02
SunOS 5.4_x86 101892-13
106673-02
106674-02
SunOS 5.3 101605-06
106675-02
106676-02
SunOS 4.1.4 100544-11
106682-01
SunOS 4.1.3_U1 100544-11
106682-01
University of Washington
========================
The source patch is available from:
ftp://ftp.cac.washington.edu/pine/pine4.02A.patch
John Hardin has updated his procmail "kit" to shorten long file
names on MIME attachments. This should prevent potential exploits
in mail clients such as Outlook, Outlook Express, Netscape Mail,
and possibly Eudora (there's still some debate about whether
Eudora is susceptible). John's procmail filter kit can be found
at:
http://www.wolfenet.com/~jhardin/procmail-kit.html
You can view his "recipe" for solving the problem at the end of
the file:
http://www.wolfenet.com/~jhardin/html-trap.procmail