OVERVIEW

A small "Denial of Service" kind of bug showed up in Outlook Express, allowing a malicious user to crash it.

This advisory has been slightly updated since it was posted on BugTraq

AFFECTED VERSIONS

Outlook Express, any version between 5 and 6, with all patches applied, is vulnerable; however the bug seems not to lead to a total crash on certain configurations. The behaviour has been reproduced on Windows 98, ME, XP and 2000, with various versions of sotware.

OE6.0 on Windows XP Pro has been reported to crash, but just on certain configurations. Windows98 with Outlook 98 (8.5.5104.6) seems also to crash. Thanks to Marty Richards for pointing out that. Outlook Express version 6.00.2600.0000 on Windows 2000 Pro EN + SP2 has been reported vulnerable (thanks to David Komanek).

We are still trying to figure out exactly why, so if you would like to contribute you could send us a short e-mail with your version of Outlook Express, Internet Explorer patches you applied, the OS and the patch level on it, and what behaviour did you observe (crash, slowdown or even nothing). If you would like, a list of other common apps you have installed which could interact with OE. Thanks.

Microsoft has acknowledged this bug months ago.

DESCRIPTION OF BEHAVIOUR

I have detected a small bug which can be exploited to crash Outlook Express, version 5, 5.5 and 6 seem to be equally affected. SP1 and 2 where available do not correct this behaviour.

The problem shows up when decoding an HTML e-mail with an <A HREF> link longer than 4095 characters. Outlook Express crashes altogether for overflow.

This overflow seems not exploitable, but you are quite welcome to elaborate. Berend-Jan Wever has written that "the bug is in mshtml.dll. This looks like a unicode off-by-one: The code puts a unicode 0 behind the HREF to terminate the string. The buffer for href is limited to 8192 bytes, 4096 unicode chars. This 0 is put behind the last char to terminate causing a word after the buffer to be overwritten with 0x0000. This word is part of a saved ebp. When ebp is poped off the stack, the least significant two bytes have been overwritten with 0, later on eax is set to "ebp-8" and this causes an exception:

635ddb9f 8908 mov [eax],ecx ([0005fff8]=????????)

The only thing you can accomplish with this is a partially overwrite ebp, it does not seem exploitable other then a DoS to me."

As I said before, some systems seem not vulnerable. The reason is a mistery. I can add that a similarly long HREF has also strange, curious effects on Internet Explorer, but not so dramatically evident and reproducible.

"EXPLOIT"

It's not difficult to exploit this vuln. Here you have a simple e-mail (zipped) which should crash the mailer. Please, it you wish to contribute, report the effects on your system.

SOLUTIONS

Microsoft was contacted on 05/02/2002 (I told you this was an old one!), and after a week they concluded the following:

"This is a known issue and scheduled to be fixed in SP1 of IE6 and any other hotfix supported version of IE."

However, no "hotfixes" have been released for this vulnerability in particular, and no IE6 SP1 has been released (that I know - I do not use IE6); but I have seen a IE6 SP1 "beta" version - if someone had the courage to install it, could please report if this bug is still there ?

For everybody else, the only solutions are:

  1. Filtering all HTML mail to /dev/null or equivalent on your mail server (been there, done that, and I live happy)
  2. Change your mailer with something less prone to such misbehaviour (possibly, open source, so you can patch it yourself just in case)
  3. Wait and hope for an hotfix and/or SP to be released

CONCLUSIONS

This small bug does not pose any real security risk (unless there's some other way to exploit it which nor me, nor Microsoft could think of ;-). However, IMHO, it's pretty strange that a small patch for this kind of bug could not be produced independently. Perhaps the randomness with which the bug seems to show up has something to do with this ?