TUCoPS :: Macintosh :: mac4891.htm

Outlook Express - Macintosh
4th Dec 2001 [SBWID-4891]
COMMAND

	Outlook Express - Macintosh

SYSTEMS AFFECTED

	 Vulnerable : Outlook express 5.0, 5.01, 5.02

	 Not vulnerable : Outlook express 5.03

	

PROBLEM

	Shikap  reported  following  buffer  overflow  on  Outlook  Express  for
	Macintosh :
	

	This mail client have problem about body strings  handling,  and  buffer
	over flow occers when handle long strings without return code.
	

	When received mail, if mail contains long line, this  mail  client  down
	and couldn\'t send order, \"DELE\" to  pop3  server.  So,  once  problem
	occerred, until user or administrator delete  this  mail,  (s)he  can\'t
	recieve mail anyway. It\'s similar to DoS attack.
	

	On June 26,2001,I recieved mail from bugtraq, and my outlook crashed.  I
	checked this problem, and found it. Mail was listed below.
	http://www.securityfocus.com/archive/1/199251

	

	You may find this mail contains long line.(just shellcode :-)
	

	Registers listed below.
	

	                         CR0  CR1  CR2  CR3  CR4  CR5  CR6  CR7

	  PC  = 395C7838     CR  0010 1010 0000 0000 0000 0000 1000 0010

	  LR  = 395C7839         <>=O XEVO

	  CTR = 0B04F8B0

	  MSR = 00000000         SOC Compare Count

	  Int = 0            XER 000   00     00                     MQ  = 00000000

	  

	  R0  = 395C7839     R8  = 00000000      R16 = 00000000      R24 = 385C7862

	  SP  = 0A148B10     R9  = 00000000      R17 = 0A09CC40      R25 = 665C7864

	  TOC = 09FC71C0     R10 = 00000020      R18 = 00000001      R26 = 395C7839

	  R3  = 00000000     R11 = 00000000      R19 = 00000001      R27 = 395C7833

	  R4  = 09ECCCBD     R12 = 09FBB960      R20 = 0A0A065C      R28 = 345C7863

	  R85  = 09FBCD5C     R13 = 0A148FC4      R21 = 0A148EBC      R29 = 395C7831

	  R6  = 00000045     R14 = 00278D00      R22 = 345C7832      R30 = 345C7832

	  R7  = 09FBCB5C     R15 = 0A148EF0      R23 = 635C7863      R31 = 635C7863

	

	   PC pointed 0x395C7838(9\\x8).

	   Next, Stack listed.

	

	  0A148B10  305C 7862 665C 7864  395C 7839 395C 7833  0\\xbf\\xd9\\x99\\x3

	  0A148B20  345C 7863 395C 7836  365C 7830 635C 7839  4\\xc9\\x66\\x0c\\x9

	  0A148B30  335C 7862 635C 7864  395C 7839 395C 7866  3\\xbc\\xd9\\x99\\xf

	  0A148B40  335C 7839 395C 7831  345C 7832 345C 7866  3\\x99\\x14\\x24\\xf

	  0A148B50  635C 7862 665C 7864  395C 7839 395C 7863  c\\xbf\\xd9\\x99\\xc

	  0A148B60  655C 7866 335C 7839  395C 7866 335C 7839  e\\xf3\\x99\\xf3\\x9

	  0A148B70  395C 7866 335C 7839  395C 7831 345C 7832  9\\xf3\\x99\\x14\\x2

	  0A148B80  635C 7837 305C 7862  635C 7864 395C 7839  c\\x70\\xbc\\xd9\\x9

	

	You can find this strings in mail listed above. So  I  think  evil  user
	can rewrite PC easily. But, SMTP protocol allow  7bit-clean  string,  so
	it\'s difficult for evil user to make a  exploit  code,  I  think.  #and
	Macintosh have no cmd.exe ;-)
	

	

SOLUTION

	Upgrade to 5.03

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH