SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (E-mail Client)  >  Outlook Express Vendors:  Microsoft
Re: Microsoft Outlook Express Crashes When Reading Certain E-mail Messages
Date:  Mar 23 2001 15:54 (UTC/GMT)
Impact:  Denial of service via network
Exploit Included:  Yes  
Version(s): 4.72
Description:  It is reported that Microsoft Outlook Express will crash when reading an e-mail message if there are too many characters in the "Newsgroups:" field of the message header.

A user reports that a similar buffer overflow exists in the email "Subject:" header field of Outlook Express. a "Subject:" field containing more than 256 characters will cause a buffer overflow.
Impact:  An attacker could send e-mail to a recipient that causes the recipient's Outlook Express e-mail client to crash.
Solution:  No solution was available at the time of this entry.
Internet Explorer does not check for certificate revocations automatically, so even though these bogus certificates have been revoked, the IE browser will not be aware of their revoked status.
Vendor URL:  http://www.microsoft.com/technet/security/
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Paul Schmehl <pauls@UTDALLAS.EDU>
Message History:   This archive entry is a follow-up to the message listed below.
Mar 23 2001 Microsoft Outlook Express Crashes When Reading Certain E-mail Messages


 Message Contents
Date:  Wed, 21 Mar 2001 19:35:14 -0600
From:  Paul Schmehl <pauls@UTDALLAS.EDU>
Subject:  Re: Local Bufferoverflow in OutlookExpress

 

A similar buffer overflow exists in the email Subject header field of
OE.  Our tech, Su Wadlow discovered this after reading the report in
vuln-dev, and we are now testing to document its behavior in various
versions of OE.  AFAWCT it does not affect Outlook, although we're not
done testing.

Basically, a Subject containing more than 256 characters will overflow the
buffer and result in various behaviors depending upon the version of OE
you are running.  In earlier versions, it crashes the client and *may* be
exploitable.  In later versions, it overflows the buffer and OE
(oddly) makes the entire message body an attachment.

On Tue, 20 Feb 2001, Steve wrote:

> This was forwarded from Vuln-Dev.  Looks like a pretty low risk to me
> but........
 
> -=-=-=-=-=-=-
> Steve Manzuik
> Moderator - Win2KSecAdvice
> http://www.windowsitsecurity.com
> -=-=-=-=-=-=-
 
 
> ------------------------------------------------------------
 
> Made in Holland
> PCP/A #0005 (pr0ph)
 
 
> Local Bufferoverflow in OutlookExpress
 
> Proved Vulnerable: OutlookExpress 4.72
> Posted To: Bugtraq/Vuln-Dev mailinglists & Packetstorm
 
 
 
> A buffer will overflow if your "Newsgroups:" field contains more than 700
> chars. OE will close down with the following "Dr. Watson for Windows NT"
> message:
 
> "An application error has occured
 
> and an application error log is being generated
 
> msmn.exe
> Exception access violation (0xc00000005), Address: 0x77f64d28"
 
> This will also create a USER.DMP file in your WINNT directory. This file can
> be used to extract passwords from, see my previous message to Bugtraq called
> "NT stores passwords in plaintext (sp00ky)"
 
 
> Another fine Planet Cazzz Production/Advisory, in assosiation with The
> Nations Top. We cannot be held responsible for your actions, but you can
> try. Made in Holland. PCP/A #0005 (pr0ph)
 
 
> We want to say hell0 to all the Crackers, the Hackers and the Phreax. We
> want to say hell0 to all the people in this place. We want to say hell0 to
> all the Sinners and 31337. We say hell0 to all the people in the world...
 
 
 
> -No Strezzz Cazzz, Powered By UN0X
 
> Vengeance is here, its time to ressurect. Anger without phear....The
> Bulld0zer Project !
 
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
 

Paul Schmehl (pauls@utdallas.edu)
Technical Support Services Manager
University of Texas at Dallas

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC