Description

Brief summary: By properly crafting an email header that is too long, an attacker can cause a buffer overflow in Outlook

Detailed description: Microsoft Outlook does not check the length of the date in the date parsing routines in "inetcomm.dll". Outlook and Outlook Express use this component to handle mail downloaded through IMAP4, POP3, or MAPI (although the MAPI exploit is much more difficult, and Microsoft suggests using MAPI only to limit exposure until a patch can be installed). The result is that an attacker can craft a date that will overflow the buffer and execute the downloaded string.

Specifically, that part of the parsing routine that handles time zones (like "GMT") does not check the length of the time zone. So if the time zone is very long, it will overflow the buffer.

This also works when the time zone field is encoded as a MIME attachment in Outlook's attachment format.

Components: Microsoft Outlook Express 4.0, 4.01, 5.0, 5.01; Microsoft Outlook 97, 98, and 2000 when a POP3 or IMAP4 server is used

Operating system(s): Windows NT 4.0, all versions; Windows 2000, all versionsThe attacker can run code with the privileges of Outlook (usually Administrator)

How to detect:

1. Check the way you installed Internet Explorer. If you did a default installation of IE 5.01 SP1 (version 5.00.2920.0000) on any system, or IE 5.5 (version 5.50.4134.0600) on a non-Windows 2000 system, you are not vulnerable; otherwise, you are.

How to fix:

1. Install the patch
   1. Be sure you are running Internet Explorer 4.01 SP2 or Internet Explorer 5.01 or later. The patch requires this to install.
   2. Download the patch for your version of Outlook or Outlook Express and install it.
2. If you are using any system other than Windows 2000, install Internet Explorer 5.01 SP1 or Internet Explorer 5.5. This eliminates the vulnerability.
3. If you are using Windows 2000, install Windows 2000 SP1.

Other information:

Keywords

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Common Vulnerability Exposure: Buffer overflow in Microsoft Outlook and Outlook Express allows remote attackers to execute arbitrary commands via a long Date field in an email header, aka the "Malformed E-mail Header" vulnerability [CAN-2000-0567]

Exploits

Attacks: See Doves exploit #107

Related Information

Advisories:

• Microsoft Security Bulletin MS00-043, Patch Available for "Malformed E-mail Header" Vulnerability ;
• CIAC Information Bulletin K-060: Microsoft's Malformed E-Mail Header Vulnerability ;
• USSR Labs advisory Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability ;
• Bugtraq letter from Aaron Drew, "Buffer Overflow in MS Outlook Email Clients" ;
• Security Focus database entry #1481, Microsoft Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability
• ISS X-Force Advisory 57,m Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients

History

Who reported it: USSR Labs in Bugtraq on July 5, 2000: independentlydiscovered the problem and reported it to Microsoft; Aaron Drew in Bugtraq on July 18, 2000: independently discovered the problem

Revision #1

1. Matt Bishop on 8/1/2000
   Initial entry

Dove images © 1999-2000 www.barrysclipart.com