|
COMMAND Outlook Express - Macintosh SYSTEMS AFFECTED Vulnerable : Outlook express 5.0, 5.01, 5.02 Not vulnerable : Outlook express 5.03 PROBLEM Shikap reported following buffer overflow on Outlook Express for Macintosh : This mail client have problem about body strings handling, and buffer over flow occers when handle long strings without return code. When received mail, if mail contains long line, this mail client down and couldn\'t send order, \"DELE\" to pop3 server. So, once problem occerred, until user or administrator delete this mail, (s)he can\'t recieve mail anyway. It\'s similar to DoS attack. On June 26,2001,I recieved mail from bugtraq, and my outlook crashed. I checked this problem, and found it. Mail was listed below. http://www.securityfocus.com/archive/1/199251 You may find this mail contains long line.(just shellcode :-) Registers listed below. CR0 CR1 CR2 CR3 CR4 CR5 CR6 CR7 PC = 395C7838 CR 0010 1010 0000 0000 0000 0000 1000 0010 LR = 395C7839 <>=O XEVO CTR = 0B04F8B0 MSR = 00000000 SOC Compare Count Int = 0 XER 000 00 00 MQ = 00000000 R0 = 395C7839 R8 = 00000000 R16 = 00000000 R24 = 385C7862 SP = 0A148B10 R9 = 00000000 R17 = 0A09CC40 R25 = 665C7864 TOC = 09FC71C0 R10 = 00000020 R18 = 00000001 R26 = 395C7839 R3 = 00000000 R11 = 00000000 R19 = 00000001 R27 = 395C7833 R4 = 09ECCCBD R12 = 09FBB960 R20 = 0A0A065C R28 = 345C7863 R85 = 09FBCD5C R13 = 0A148FC4 R21 = 0A148EBC R29 = 395C7831 R6 = 00000045 R14 = 00278D00 R22 = 345C7832 R30 = 345C7832 R7 = 09FBCB5C R15 = 0A148EF0 R23 = 635C7863 R31 = 635C7863 PC pointed 0x395C7838(9\\x8). Next, Stack listed. 0A148B10 305C 7862 665C 7864 395C 7839 395C 7833 0\\xbf\\xd9\\x99\\x3 0A148B20 345C 7863 395C 7836 365C 7830 635C 7839 4\\xc9\\x66\\x0c\\x9 0A148B30 335C 7862 635C 7864 395C 7839 395C 7866 3\\xbc\\xd9\\x99\\xf 0A148B40 335C 7839 395C 7831 345C 7832 345C 7866 3\\x99\\x14\\x24\\xf 0A148B50 635C 7862 665C 7864 395C 7839 395C 7863 c\\xbf\\xd9\\x99\\xc 0A148B60 655C 7866 335C 7839 395C 7866 335C 7839 e\\xf3\\x99\\xf3\\x9 0A148B70 395C 7866 335C 7839 395C 7831 345C 7832 9\\xf3\\x99\\x14\\x2 0A148B80 635C 7837 305C 7862 635C 7864 395C 7839 c\\x70\\xbc\\xd9\\x9 You can find this strings in mail listed above. So I think evil user can rewrite PC easily. But, SMTP protocol allow 7bit-clean string, so it\'s difficult for evil user to make a exploit code, I think. #and Macintosh have no cmd.exe ;-) SOLUTION Upgrade to 5.03