[Fwd: [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability]

Julian Field mailscanner at ecs.soton.ac.uk
Wed Jan 11 05:00:47 GMT 2006


That one got me very worried. I checked to see that blocking tnef  
master-files worked, and it appeared not to. So loads of debugging  
later, I finally find I had commented out the filename.rules.conf and  
filetype.rules.conf settings in MailScanner.conf.
Grrrr.... but also Phew!
:-(   :-)

Blocking these in filename.rules.conf and filetype.rules.conf works  
just fine.
If you block them in filetype.rules.conf you need to block 2  
different strings to be sure to always block them on Linux systems,  
as some of these have 2 entries for the same filetype in /usr/share/ 
magic:
TNEF
Transport Neutral Encapsulation Format

Also, now you see why I insist on tabs separating the 4 fields and  
not just spaces :-)

I would advise blocking them in filename.rules.conf and  
filetype.rules.conf to be safe.

On 10 Jan 2006, at 21:58, Carl Andrews wrote:

> Anyone blocking these?
>
> My /etc/mime-magic does not have the ms/tnef and I can not find a
> winmail.dat file. Can anyone tell me what I need to add to mime- 
> magic so
> I can put these in my filetype.rules ?
>
>
> Thanks!
> Carl
> -------- Forwarded Message --------
> From: Secunia Security Advisories <sec-adv at secunia.com>
> To: carl.andrews at crackerbarrel.com
> Subject: [SA18368] Microsoft Outlook / Exchange TNEF Decoding  
> Arbitrary
> Code Execution Vulnerability
> Date: 10 Jan 2006 21:02:44 -0000
>
> TITLE:
> Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution
> Vulnerability
>
> SECUNIA ADVISORY ID:
> SA18368
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/18368/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> System access
>
> WHERE:
>> From remote
>
> SOFTWARE:
> Microsoft Exchange 2000 Enterprise Server
> http://secunia.com/product/42/
> Microsoft Exchange 5
> http://secunia.com/product/177/
> Microsoft Exchange 5.5
> http://secunia.com/product/148/
> Microsoft Exchange Server 2000
> http://secunia.com/product/41/
> Microsoft Outlook 2000
> http://secunia.com/product/33/
> Microsoft Outlook 2002
> http://secunia.com/product/34/
> Microsoft Outlook 2003
> http://secunia.com/product/3292/
>
> DESCRIPTION:
> A vulnerability has been reported in Microsoft Outlook / Exchange,
> which can be exploited by malicious people to compromise a vulnerable
> system.
>
> The vulnerability is caused due to boundary error when decoding the
> Transport Neutral Encapsulation Format (TNEF) MIME attachment. This
> can be exploited to execute arbitrary code when the user opens or
> previews a specially crafted TNEF email message or when the Microsoft
> Exchange Server Information Store processes the message.
>
> SOLUTION:
> Apply patches.
>
> -- Microsoft Office 2000 Service Pack 3 --
>
> Microsoft Outlook 2000:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=64D0336D- 
> F962-4AB1-A724-9F6BA2108CB9
>
> Microsoft Office 2000 MultiLanguage Packs:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyId=2C0FA7C7-91AA-49B4-9731-9E83E3E0823D
>
> Microsoft Outlook 2000 English MultiLanguage Packs:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyId=2C0FA7C7-91AA-49B4-9731-9E83E3E0823D
>
> -- Microsoft Office XP Service Pack 3 --
>
> Microsoft Outlook 2002:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyId=9A85CEBB-0D9A-465D-A4BC-AF501562772D
>
> Microsoft Office XP Multilingual User Interface Packs:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyId=CCA9399A-6DA3-4163-8398-C58DC328182B
>
> -- Microsoft Office 2003 Service Pack 1 and Service Pack 2 --
>
> Microsoft Outlook 2003:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=1D156043- 
> B041-4305-8442-3C4E3B832788
>
> Microsoft Office 2003 Multilingual User Interface Packs:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyId=D69554AD-196F-4789-91E5-B2A753EED854
>
> Microsoft Office 2003 Language Interface Packs:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyID=db080de8-8193-4c32-9019-9980ecd6874a
>
> -- Microsoft Exchange Server --
>
> Microsoft Exchange Server 5.0 Service Pack 2:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0A8DF1C3- 
> ABF9-4A21-9B49-81FA362B251F
>
> Microsoft Exchange Server 5.5 Service Pack 4:
> http://www.microsoft.com/downloads/details.aspx? 
> FamilyId=EC6BD30E-12DE-4CA1-9432-D2E73AF62427
>
> Microsoft Exchange 2000 Server Pack 3 (with the Exchange 2000
> Post-Service Pack 3 Update Rollup of August 2004):
> http://www.microsoft.com/downloads/details.aspx?FamilyId=372FF07F- 
> C3CA-4301-8559-9B90344EDC02
>
> Note: Microsoft Exchange Server 2003 SP1/SP2 are not affected.
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits John Heasman and Mark Litchfield of NGS Software.
>
> ORIGINAL ADVISORY:
> MS06-003 (KB902412):
> http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
>
> ----------------------------------------------------------------------
>
> About:
> This Advisory was delivered by Secunia as a free service to help
> everybody keeping their systems up to date against the latest
> vulnerabilities.
>
> Subscribe:
> http://secunia.com/secunia_security_advisories/
>
> Definitions: (Criticality, Where etc.)
> http://secunia.com/about_secunia_advisories/
>
>
> Please Note:
> Secunia recommends that you verify all advisories you receive by
> clicking the link.
> Secunia NEVER sends attached files with advisories.
> Secunia does not advise people to install third party patches, only
> use those supplied by the vendor.
>
> ----------------------------------------------------------------------
>
> Unsubscribe: Secunia Security Advisories
> http://secunia.com/sec_adv_unsubscribe/?email=carl.andrews% 
> 40crackerbarrel.com
>
> ----------------------------------------------------------------------
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list