what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

6D00B005PU.html

6D00B005PU.html
Posted Nov 19, 2002
Authored by Noam Rathaus | Site securiteam.com

Outlook Express version 5.50 and 6.0 contains a security vulnerability in the handling of S/MIME certificates which allows arbitrary code execution when inspecting a S/MIME signed message.

tags | advisory, arbitrary, code execution
SHA-256 | bc9a16df800c23057348b4928f436978cd5a07b073ace82b10988bb236ad0dc1

6D00B005PU.html

Change Mirror Download
<!-- Version = 3.3 -->
<html>
<head>
<title>SecuriTeam.com &#153 (Outlook Remote Code Execution in Preview Pane (S/MIME))</title>
<meta name="Description" content="Beyond Security will help you expose your security holes and will show you what the bad guys already know about your hosts and network. Use our Automated Scanning service to perform a full security audit of your site, and find the latest security news and tools on Beyond Security's SecuriTeam web site.">
<meta name="Keywords" content="Beyond Security, automated scanning, security news, security, hack, hacker, hacking, crack, cracker, cracking, exploits, securiteam, root, intrusion detection, windows, windowsnt, nt, server, unix, linux, solaris, sunos, aix, audit, firewall, scanner, internet, intranet, vulnerability, phreak, redhat, suse, debian, rootshell, maximum, tcpip, udp, tcp, cryptography, hunt, session, hijack, reset, ack, syn, rst">
<meta http-equiv="expires" content="01 Jan 1998 01:01:00 GMT">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Language" content="en-us">
<meta name="HandheldFriendly" content="True">
</head>
<STYLE TYPE=TEXT/CSS>
A:HOVER {COLOR: RED}
.links
{
COLOR: BLACK;
TEXT-DECORATION: underline
}
</STYLE>
<body BGCOLOR="white">
<DIV align="center">
<TABLE cellpadding="0" cellspacing="1" border="0">
<TR>
<TD COLSPAN="3" width="1" height="1" bgcolor="black"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
</TR>
<tr>
<td COLSPAN="3" style="PADDING-LEFT: 4pt">
<font size="2" face="Verdana, Arial, Helvetica, sans-serif" color="#0000ff">
<a href="http://www.beyondsecurity.com/" style="COLOR: #000000; TEXT-DECORATION: none">Beyond-Security's</a> <a href="http://www.securiteam.com/" style="COLOR: #000000; TEXT-DECORATION: none">SecuriTeam.com</a><br>
</font>
</td>
</tr>
<TR>
<TD COLSPAN="3" width="1" height="1" bgcolor="black"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
</TR>
<TR>
<TD valign="top" width="190">
<BR>
<font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#0000ff">
&nbsp;<a href="http://www.securiteam.com/" class="links">SecuriTeam Home</a><br>
&nbsp;<a href="http://www.securiteam.com/aboutus.html" class="links">About SecuriTeam</a><br>
&nbsp;<a href="http://www.securiteam.com/askus.html" class="links">Ask the Team</a><br>
&nbsp;<a href="http://www.securiteam.com/ads.html" class="links">Advertising info</a><br>
&nbsp;<a href="http://www.securiteam.com/securitynews/" class="links">Security News</a><br>
&nbsp;<a href="http://www.securiteam.com/securityreviews/" class="links">Security Reviews</a><br>
&nbsp;<a href="http://www.securiteam.com/exploits/" class="links">Exploits</a><br>
&nbsp;<a href="http://www.securiteam.com/tools/" class="links">Tools</a><br>
&nbsp;<a href="http://www.securiteam.com/unixfocus/" class="links">UNIX focus</a><br>
&nbsp;<a href="http://www.securiteam.com/windowsntfocus/" class="links">Windows NT focus</a><br>
</font>
<form method="post" action="http://www.securiteam.com/cgi-bin/htsearch" id=form1 name=form1>
<input name="words" value="Search" maxlength="100" size="10" >
<input type="hidden" name="method" value="and">
<input type="hidden" name="format" value="builtin-long">
<input type="hidden" name="sort" value="score">
<input type="hidden" name="config" value="htdigSecuriTeam">
<input type="hidden" name="restrict" >
<input type="hidden" name="exclude" >
<INPUT TYPE="image" SRC="http://www.securiteam.com/search.gif" BORDER=0 id=image1 name=image1>
</form>
<br>
<!--htdig-noindex-->
<div style="FONT-SIZE: 9pt">1. <a href="6R00B2A60E.html">LiteServe URL Decoding DoS</a><br>
2. <a href="6D00D2061G.html">TFTPD32 Directory Traversal Vulnerability</a><br>
3. <a href="6C00C2061A.html">TFTPD32 Buffer Overflow Vulnerability (Long filename)</a><br>
4. <a href="6G00H2060G.html">IISPop Remote DoS</a><br>
5. <a href="6A00B2060Y.html">Perception LiteServe HTTP CGI Disclosure Vulnerability</a><br>

</div><br>
<!--/htdig-noindex-->
<img src="http://www.securiteam.com/email.gif" alt="" border="0" align="left"><A href="email/6D00B005PU.html" style ="FONT-SIZE: 10pt" >E-Mail this article to a friend</A><br><A href="mailto:comments@securiteam.com?subject=Outlook Remote Code Execution in Preview Pane (S/MIME)" style ="FONT-SIZE: 10pt" >Send us comments</A>
</TD>
<TD rowspan="2" width="1" height="1" bgcolor="black"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
<td>
<TABLE border="0" style="MARGIN-LEFT: 4pt">
<tr>
<TD colspan="2" align="middle">
<br>
<!-- Ad -->
<center>
<div align="center">
<IFRAME src="http://adserver.matchcraft.com/adserver/layer/SecuriTeam/Security!20News!2c!20Tools!20and!20Reviews/468x60" marginwidth="0" marginheight="0" width="468" height="60" frameborder="0" scrolling="no">

<SCRIPT language=javascript>document.write('<SCRIPT language=javascript src="http://adserver.matchcraft.com/adserver/jslayer/SecuriTeam/Security!20News!2c!20Tools!20and!20Reviews/468x60"></SCRIPT>');
</SCRIPT>

<NOSCRIPT><a href="http://www.matchcraft.com"><img src="http://adserver.matchcraft.com/adserver/redirect/MC468x60.gif/SecuriTeam" width="468" height="60"></a>
</NOSCRIPT>

</IFRAME>
</div>
</center>
<br>

</TD>
</tr>
<TR>
<TD align="left" bgColor="navy">&nbsp;<FONT color="white"><B style="FONT-SIZE: 12pt">Title</B></FONT></TD>
<TD bgColor="navy" align="right" width="10%"><FONT color="white"><B style="FONT-SIZE: 11pt">10/10/2002</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" align="middle" ><B style="FONT-SIZE: 15pt">Outlook Remote Code Execution in Preview Pane (S/MIME)<br>
<br></B></TD>
</TR>
<TR>
<TD colspan="2" align="left" bgColor="navy">&nbsp;<FONT color=white><B style="FONT-SIZE: 12pt">Summary</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" style="FONT-SIZE: 11pt">The S/MIME standard attempts to raise the level of trust of email messages by enabling users to digitally sign their messages and so the receiver can verify the authenticity of the received message.<br>

However, sometimes an added security feature can open up dangerous security hole; a security vulnerability in the way Outlook handles S/MIME certificates causes it to execute arbitrary code when inspecting a malformed S/MIME signed message.<br>
<br></TD>
</TR>
<TR>
<TD colspan="2" align="left" bgColor="navy">&nbsp;<FONT color="white"><B style="FONT-SIZE: 12pt">Details</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" style="FONT-SIZE: 11pt"><B>Vulnerable versions:</B><br>
Outlook Express version 5.50<br>
Outlook Express version 6.0<br>
<br>
<B>Immune versions:</B><br>
Outlook Express 5.5 SP2<br>
Outlook Express 6.0 SP1 (included in Windows XP SP1)<br>
Microsoft Outlook<br>
<br>
<br>
S/MIME has been implemented in Outlook Express in accordance to RFC 2311 (<A HREF="http://www.ietf.org/rfc/rfc2311.txt?number=2311">http://www.ietf.org/rfc/rfc2311.txt?number=2311</A>). As the RFC states, an error message should be displayed whenever the "From" field of the letter does not match that of the S/MIME RFC822 Name (in our example it will be noamr@beyondsecurity.com).<br>
<br>
The following error message will be displayed whenever such an incident occurs (The fake email address has been set to "Fake"):<br>
<br>
<br>
<I>Security Warning <br>
<br>
There are security problems with this message.<br>
Please review the highlighted items listed below: <br>
<br>
(V) Message has not been tampered with <br>
(V) You do trust the signing digital ID <br>
(V) The digital ID has not expired <br>
(X) The digital ID's e-mail address does not match sender's <br>
Signer: noamr@beyondsecurity.com <br>
Sender: Fake<br>
(V) The digital ID has not been revoked or revocation information for this certificate could not be determined. <br>
(V) There are no other problems with the digital ID <br>
</I><br>
<br>
Ironically, this message warning is where the vulnerability lies. An overflow in the code that tries to place the sender's email address in the message allows arbitrary code execution, which is triggered whenever a user views the message. Watching it in the preview pane is sufficient to trigger the overflow.<br>
<br>
<B>Vendor response:</B><br>
Microsoft has responded promptly and the fix was included in Service Pack 1 for Windows XP released a few weeks ago.<br>
A patch for other systems is available at:<br>
<A HREF="http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp">http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp</A>.<br>
<br></TD>
</TR>
<TR>
<TD colspan="2" align=left bgColor=navy>&nbsp;<FONT color=white><B style="FONT-SIZE: 12pt">Additional information</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" style="FONT-SIZE: 11pt">The information has been provided by <A HREF="mailto:noamr at beyondsecurity.com">Noam Rathaus</A>.
<br></TD>
</TR>
</TABLE>
</td>
</TR>
<TR>
<TD COLSPAN="3">&nbsp;</TD>
</TR>
<TR>
<TD COLSPAN="3" width="1" height="1" bgcolor="orange"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
</TR>
<tr>
<td COLSPAN="3">
<div align="center">
<font color="gray" style="FONT-SIZE: 8pt">
Copyright © 1998-2001 <a href="http://www.beyondsecurity.com/info.html" style="COLOR: gray; FONT-SIZE: 7pt">Beyond Security
Ltd.</a> All rights reserved.<br>
<a href="http://www.beyondsecurity.com/legal.html" style="COLOR: gray; FONT-SIZE: 7pt">Terms of Use</a> <a href="http://www.beyondsecurity.com/privacy.html" style="COLOR: gray; FONT-SIZE: 7pt">Site Privacy Statement</a>.<br><br>
</font>
</div>
</td>
</tr>
</TABLE>
</DIV>
</body>
</html>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close