iDEFENSE Security Advisory 06.14.05: Microsoft Outlook Express NNTP Response Parsing Buffer Overflow Vulnerability

From: iDEFENSE Labs (labs-no-reply_at_idefense.com)
Date: 06/14/05

  • Next message: lists_at_NGSEC: "[NGSEC] AntiPharming v1.00 FREE"
    Date: Tue, 14 Jun 2005 14:35:30 -0400
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
    
    

    Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
    Vulnerability

    iDEFENSE Security Advisory 06.14.05
    www.idefense.com/application/poi/display?id=263&type=vulnerabilities
    June 14, 2005

    I. BACKGROUND

    Microsoft Outlook Express is an e-mail and newsgroup client shipped with
    the Microsoft Windows operating system.

    II. DESCRIPTION

    Remote exploitation of a buffer overflow vulnerability in the news
    reader functionality of Microsoft Corp.'s Outlook Express allows
    attackers to execute arbitrary code under the current users privileges.

    The vulnerability specifically exists when parsing Network News Transfer
    Protocol (NNTP, RFC 977) server responses after issuing a "LIST"
    command. A stack-based buffer overflow occurs within a routine in
    MSOE.dll, found in "C:\Program Files\Outlook Express\MSOE.DLL." The
    addresses and offsets that follow are based on MSOE.DLL version
    5.50.4927.1200 as shipped with Microsoft Windows 2000 SP4. When parsing
    a server response of the following form:

        alt.12hr 0<LONG STRING>000001325 0000001322 y\r\n
        FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR

    Various string parsing loops are used that call the CharNext() and
    IsSpace() routines to determine the length of the whitespace delimited
    fields. An assembly equivalent StrCpy() is used to copy FIELD2 into a
    static (16 byte) stack-based buffer here:

        SUB_6AED247A()
        ...
        6AED268B mov eax, ebx ; eax = start of FIELD2
        6AED268D lea edi, [ebp+buff] ; edi = stack variable
        6AED2690 sub eax, esi ; esi = end of FIELD2
        6AED2692 mov ecx, eax ; ecx = length of FIELD2
        6AED2694 mov edx, ecx ; edx = length of FIELD2
        6AED2696 shr ecx, 2
        6AED2699 rep movsd ; *** overflow occurs here
        6AED269B mov ecx, edx
        6AED269D and ecx, 3
        6AED26A0 rep movsb ; copy remaining bytes
        6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string

    The copied buffer is later passed to the routine StrToIntA(). The
    "rep movsd" instruction located at 0x6AED2699 causes a stack-based
    buffer overflow to occur with user-supplied data. An attacker can
    overwrite a stack-stored Structured Exception Handler (SEH) to alter
    instruction flow and eventually execute arbitrary code.

    Outlook Express as shipped with Windows XP SP2 is not affected. The
    following excerpt from MSOE.DLL version 6.0.2900.2180 shows that a
    check has been added that limits the length of FIELD2 to 14 bytes:

        SUB_60354869()
        ...
        60354A7B mov edi, ebx ; edi = current location
        60354A7D sub edi, [ebp+var_11C] ; edi = length of field2
        60354A83 cmp edi, 14 ; if length of field2 > 14
        60354A86 jbe short loc_60354A8D
        60354A88 push 14
        60354A8A pop edi ; length of field2 = 14

    Furthermore, a StrCpy() or equivalent instruction sequence is not used
    to generate a new buffer to pass to the StrToIntA() routine. Instead
    FIELD2 is null terminated in memory and a pointer to the start of FIELD2
    is passed to StrToIntA().

    III. ANALYSIS

    Exploitation of the described vulnerability allows remote attackers to
    execute arbitrary code under the privileges of the currently logged on
    user. An attacker must create a malicious server and either force or
    convince a target user to connect to it with Outlook Express. On at
    least Windows 2000 and Windows XP systems the default handler for the
    "news://" URI is Outlook Express. An attacker can force a target user to
    connect to a malicious server through a link such as:

        news://attack.server.ip

    The impact of this vulnerability is mitigated by the fact that when the
    target user connects to the malicious server he or she will be presented
    with a yes/no dialog box containing the following text:

        "You are not subscribed to any newsgroups in this account.
        Would you like to view a list of available newsgroups now?"

    The user must select "yes" for exploitation to occur.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in Microsoft
    Outlook Express 5 as shipped with Windows 2000 SP4
    (MSOE.DLL v5.50.4927.1200) and Outlook Express 6 as shipped with Windows
    XP SP1 (MSOE.DLL v6.0.2800.1437). It is suspected that earlier versions
    of Outlook Express are also vulnerable.

    iDEFENSE has confirmed that Outlook Express 6 as shipped with Windows XP
    SP2 (MSOE.DLL v6.0.2900.2180) is not vulnerable.

    V. WORKAROUND

    Disable Outlook Express as the default "news://" URI handler and connect
    to untrusted news sources with an unaffected news reader. The URI
    handler can be removed by deleting the following registry key:

        HKEY_CLASSES_ROOT\news\shell\open\command

    Alternatively, Windows XP users can install service pack 2.

    VI. VENDOR RESPONSE

    The vendor security advisory and appropriate patches are available at:

       http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    names CAN-2005-1213 to these issues. This is a candidate for inclusion
    in the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VIII. DISCLOSURE TIMELINE

    11/16/2004 Initial vendor notification
    11/18/2004 Initial vendor response
    06/14/2004 Coordinated public disclosure

    IX. CREDIT

    An anonymous contributor is credited with discovering this
    vulnerability.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    Free tools, research and upcoming events
    http://labs.idefense.com

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: lists_at_NGSEC: "[NGSEC] AntiPharming v1.00 FREE"

    Relevant Pages