Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030)
Date: 15 Jun 2005 16:17:26 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030)
------------------------------------------------------------------------


SUMMARY

 <http://www.microsoft.com/> Microsoft  
<http://www.microsoft.com/windows/oe/> Outlook Express is an email and 
news client bundled with operating systems and the Internet Explorer web 
browser by Microsoft.

The NNTP news reader embedded in Outlook Express is vulnerable to buffer 
overflow, exploiting this vulnerability allows remote attacker to execute 
malicious code with the rights of Outlook's user.

DETAILS

Vulnerable Systems:
 * Microsoft Outlook Express shipped with Microsoft Windows 2000 SP4 
(MSOE.DLL version 5.50.4927.1200)

Remote exploitation of a buffer overflow vulnerability in the news reader 
functionality of Microsoft's Outlook Express allows attackers to execute 
arbitrary code under the current users privileges.

The vulnerability specifically exists when parsing Network News Transfer 
Protocol ( <http://www.ietf.org/rfc/rfc977.txt> NNTP, RFC 977) server 
responses after issuing a "LIST" command. A stack-based buffer overflow 
occurs within a routine in MSOE.dll, found in "C:\Program Files\Outlook 
Express\MSOE.DLL." The addresses and offsets that follow are based on 
MSOE.DLL version 5.50.4927.1200 as shipped with Microsoft Windows 2000 
SP4. When parsing a server response of the following form:

When parsing a server response of the following form:
alt.12hr 0<LONG STRING>000001325 0000001322 y\r\n
FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR

Various string parsing loops are used that call the CharNext() and 
IsSpace() routines to determine the length of the whitespace delimited 
fields. An assembly equivalent StrCpy() is used to copy FIELD2 into a 
static (16 byte) stack-based buffer here:
    SUB_6AED247A()
    ...
    6AED268B mov eax, ebx ; eax = start of FIELD2
    6AED268D lea edi, [ebp+buff] ; edi = stack variable
    6AED2690 sub eax, esi ; esi = end of FIELD2
    6AED2692 mov ecx, eax ; ecx = length of FIELD2
    6AED2694 mov edx, ecx ; edx = length of FIELD2
    6AED2696 shr ecx, 2
    6AED2699 rep movsd ; *** overflow occurs here
    6AED269B mov ecx, edx
    6AED269D and ecx, 3
    6AED26A0 rep movsb ; copy remaining bytes
    6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string

The copied buffer is later passed to the routine StrToIntA(). The "rep 
movsd" instruction located at 0x6AED2699 causes a stack-based buffer 
overflow to occur with user-supplied data. An attacker can overwrite a 
stack-stored Structured Exception Handler (SEH) to alter instruction flow 
and eventually execute arbitrary code.

Outlook Express as shipped with Windows XP SP2 is not affected. The 
following excerpt from MSOE.DLL version 6.0.2900.2180 shows that a check 
has been added that limits the length of FIELD2 to 14 bytes:
    SUB_60354869()
    ...
    60354A7B mov edi, ebx ; edi = current location
    60354A7D sub edi, [ebp+var_11C] ; edi = length of field2
    60354A83 cmp edi, 14 ; if length of field2 > 14
    60354A86 jbe short loc_60354A8D
    60354A88 push 14
    60354A8A pop edi ; length of field2 = 14

Furthermore, a StrCpy() or equivalent instruction sequence is not used to 
generate a new buffer to pass to the StrToIntA() routine. Instead FIELD2 
is null terminated in memory and a pointer to the start of FIELD2 is 
passed to StrToIntA().

Exploitation of the described vulnerability allows remote attackers to 
execute arbitrary code under the privileges of the currently logged on 
user. An attacker must create a malicious server and either force or 
convince a target user to connect to it with Outlook Express. On at least 
Windows 2000 and Windows XP systems the default handler for the "news://"; 
URI is Outlook Express. An attacker can force a target user to connect to 
a malicious server through a link such as:
    news://attack.server.ip

The impact of this vulnerability is mitigated by the fact that when the 
target user connects to the malicious server he or she will be presented 
with a yes/no dialog box containing the following text:
    "You are not subscribed to any newsgroups in this account.
    Would you like to view a list of available newsgroups now?"

The user must select "yes" for exploitation to occur.

Workaround:
Disable Outlook Express as the default "news://"; URI handler and connect 
to untrusted news sources with an unaffected news reader. The URI handler 
can be removed by deleting the following registry key:
    HKEY_CLASSES_ROOT\news\shell\open\command
Alternatively, Windows XP users can install service pack 2.

Disclosure Timeline:
 * 11.16.04 - Initial vendor notification
 * 11.18.04 - Initial vendor response
 * 06.14.04 - Coordinated public disclosure

Vendor Status:
The vendor security advisory and appropriate patches are available at:
 <http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx> 
http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1213> 
CAN-2005-1213


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=263&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=263&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030), SecuriTeam <=
Previous by Date:  [NT] Vulnerability in Microsoft Agent Allows Spoofing (MS05-032), SecuriTeam
Next by Date:  [NT] Microsoft Windows Interactive Training Buffer Overflow (MS05-031), SecuriTeam
Previous by Thread:  [NT] Vulnerability in Microsoft Agent Allows Spoofing (MS05-032), SecuriTeam
Next by Thread:  [NT] Microsoft Windows Interactive Training Buffer Overflow (MS05-031), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]