SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (E-mail Client)  >  Outlook Express Vendors:  Microsoft
Microsoft Outlook Express (and Possibly Outlook) Has File Attachment Name Bugs That Let Remote Users Send Malicious Mail to Bypass Attachment Type Filters and Modify the Apparent File Name and File Size
SecurityTracker Alert ID:  1004805
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 20 2002
Impact:  Modification of user information
Exploit Included:  Yes  
Version(s): 6.0, 5.5, 5.01
Description:  Several vulnerabilities were reported in Outlook Express (OE). A remote user can send malicious e-mail with an attachment that will bypass OE's malicious file type filter and misrepresent the name and size of the file.

A remote user can reportedly send an e-mail with a malicious attachment that can bypass the malicious file filter using specially crafted MIME headers. A demonstration exploit header (for use within the attachment boundary) is provided:

Content-Type: application/asx
Content-Disposition: inline; filename="newtitle.chm"

A remote user can reportedly modify the way the file name extension and file size will be displayed on the recipient's Outlook Express client. For example, the following type of attachment file name can be used to cause the client to display the wrong file attachment size:

"newtitle.chm (45.6 KB) [...]"

In another example, the file extension can be masked:

"newtitle.asx (45.6 KB) [...].chm"

The true extension will be known by the recipient when the recipient attempts to open or save the attachment and receives the attachment warning. However, according to the report, the attachment warning can also be bypassed if a file name containing spaces is used. An example file name is provided:

"newtitle.asx .chm"

It is reported that the space and all characters following the space are cropped in the attachment warning. It is reported that sometimes the client will crop the entire attachment file name, particularly when it is a long name.

A remote user can also cause the attachment to be represented by the default icon instead of a type-specific icon. To do this, the remote use must append two or more 0x2E characters (".") to the end of the filename.

A sample '.eml' exploit file for these vulnerabilities is available at:

http://www.murphy.101main.net/Oe6_issues.eml


The author of the report indicates that Outlook may also be vulnerable, but this has not been confirmed.

The vendor has reportedly been notified.
Impact:  A remote user can send an e-mail message with a file attachment that may misrepresent the name and size of the attachment, set the attachment icon to the default icon, and bypass the malicious file type filter.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)
Reported By:  "Matthew Murphy" <mattmurphy@kc.rr.com>
Message History:   None.

 Source Message Contents
Date:  Fri, 19 Jul 2002 23:48:01 -0500
From:  "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject:  [Full-Disclosure] Outlook Express Attachment Property Spoofing Vulnerabilities

 

[ Outlook *may* be vulnerable; I do not have a supported
version to test for these flaws ]

There are several vulnerabilities in Outlook Express 6.0 (and
some may apply to OE 5.01/5.5, as well) that affect how the
MUA represents attachments.  These vulnerabilities allow a
malicious e-mail to:

1) Spoof the size of an attachment.
2) Misrepresent the extension of an attachment in the "Open
    Attachment Warning" dialog.
3) Set an attachment's icon to the default
4) Bypass the malicious file type filter
5) Also, misrepresent the name of the attachment in the
    "Attachments" listbox.

Filter Bypass (Content-Disposition/Type headers)
--------------------------------------------------

This vulnerability occurs when an e-mail does something similar to
the following in an attachment boundary:

Content-Type: application/asx
Content-Disposition: inline; filename="newtitle.chm"

This simple exploit of these vulnerabilities only allows a malicious
file to slip through the filter -- although more advanced ones will
do more fun things. :-XD

Listbox Name/Size Spoofing (Item truncation)
----------------------------------------------

A default Windows behavior turned into a security vulnerability. :-)
If we give Outlook Express a long name of an attachment, something
like "newtitle.chm (45.6 KB)           [...]", we can cause the size not
to appear in the OE attachments list correctly, and instead force it
to display our incorrect size.

A more advanced exploit of this is "newtitle.asx (45.6 KB)   [...].chm"
This way, the user doesn't see the true extension of the file.  At least,
until the attachment warning.  This can be bypassed, as well, however...

Open Attachment Warning (Messy space handling)
---------------------------------------------------

In the OE "Open Attachment Warning" prompt, strange behavior occurs
when file names contain spaces, such as "newtitle.asx .chm".  Everything
after the space is clipped, as well as the space itself.  This can result in
the above attack being masked to the user in the area that is normally
thought of as the last line of defense -- the attachment warning.

[NOTE: In some cases, the MUA will clip the entire attachment name,
especially if it is rather long.  This will cause the target of the open
action
to appear as the cache folder.  I have not isolated the cause of this.]

Default Icon Spoofing (Dot bugs, again)
----------------------------------------

We have the name of the attachment perfectly spoofed, and that's great,
but that CHM icon is still there!  Rest assured, there is also a way around
this. :-)

By appending 2 or more 0x2E characters (".") to the end of a filename,
Outlook Express will fail to identify an icon for the file, making the user
believe it is not any registered file type.

Exploit: http://www.murphy.101main.net/Oe6_issues.eml

Vendor:

Microsoft was notified June 28, and assigned case # MSRC-1201 to the
issue.  Aside from asking for examples, they have not given any further
indication of progress.  I have not heard from MS since July 8, despite
repeated requests that I be informed of progress (therefore, I must assume
none has been made).

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC