Vulnerabilities > CVE-2005-1213 - Buffer Overflow vulnerability in Microsoft Outlook Express NNTP Response Parsing

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
metasploit
NVD
Published: 2005-06-14
Updated: 2018-10-12

Summary

Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.

Vulnerable Configurations

Part Description Count
Application
Microsoft
3

Exploit-Db

  • descriptionMS Outlook Express NNTP Buffer Overflow Exploit (MS05-030). CVE-2005-1213. Remote exploit for windows platform
    idEDB-ID:1066
    last seen2016-01-31
    modified2005-06-24
    published2005-06-24
    reportereyas
    sourcehttps://www.exploit-db.com/download/1066/
    titleMicrosoft Outlook Express NNTP Buffer Overflow Exploit MS05-030
  • descriptionMicrosoft Outlook Express NNTP Response Parsing Buffer Overflow. CVE-2005-1213. Remote exploit for windows platform
    idEDB-ID:16379
    last seen2016-02-01
    modified2010-05-09
    published2010-05-09
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16379/
    titleMicrosoft Outlook Express NNTP Response Parsing Buffer Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the news reader of Microsoft Outlook Express.
idMSF:EXPLOIT/WINDOWS/NNTP/MS05_030_NNTP
last seen2019-12-16
modified2017-07-24
published2006-12-15
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1213
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/nntp/ms05_030_nntp.rb
titleMS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-030.NASL
descriptionThe remote host is running a version of Microsoft Outlook Express that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to lure a user to connect to a rogue NNTP (news) server sending malformed replies to several queries.
last seen2020-06-01
modified2020-06-02
plugin id18489
published2005-06-14
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18489
titleMS05-030: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18489);
 script_version("1.40");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-1213");
 script_bugtraq_id(13951);
 script_xref(name:"MSFT", value:"MS05-030");
 script_xref(name:"CERT", value:"130614");
 script_xref(name:"EDB-ID", value:"1066");
 script_xref(name:"EDB-ID", value:"16379");
 script_xref(name:"MSKB", value:"897715");

 script_name(english:"MS05-030: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715)");
 script_summary(english:"Determines the version of MSOE.dll");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the email
client.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Outlook Express that
could allow an attacker to execute arbitrary code on the remote host.

To exploit this flaw, an attacker would need to lure a user to connect
to a rogue NNTP (news) server sending malformed replies to several
queries.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-030");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Outlook Express.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/06/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-030';
kb = '897715';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

rootfile = hotfix_get_programfilesdir();
if ( ! rootfile ) exit(1, "Failed to get the Program Files directory.");

share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile);
dll =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Outlook Express\msoe.dll", string:rootfile);




login	=  kb_smb_login();
pass  	=  kb_smb_password();
domain 	=  kb_smb_domain();
port    =  kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if ( r != 1 )
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,share);
}


handle =  CreateFile (file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( ! isnull(handle) )
{
 flag = 0;
 v = GetFileVersion(handle:handle);
 CloseFile(handle:handle);
 set_kb_item(name:"SMB/OutlookExpress/MSOE.dll/Version", value:string(v[0], ".", v[1], ".", v[2], ".", v[3]));

 if ( hotfix_check_sp(xp:2, win2k:5, win2003:1) <= 0 ) {
	NetUseDel();
	exit(0);
	}

 if ( v[0] == 5 )
	{
	 if ( (v[0] == 5 && v[1] < 50) ||
	      (v[0] == 5 && v[1] == 50 && v[2] < 4952) ||
	      (v[0] == 5 && v[1] == 50 && v[2] == 4952 && v[3] < 2800 ) ) { {
 hotfix_add_report('\nPath : '+share-'$'+':'+dll+
                   '\nVersion : '+join(v, sep:'.')+
                   '\nShould be : 5.50.4952.2800\n', bulletin:bulletin, kb:kb);
 set_kb_item(name:"SMB/Missing/MS05-030", value:TRUE);
 hotfix_security_hole();
 }flag ++; }
	}
 else if ( v[0] == 6 )
	{
	 if ( ( v[0] == 6 && v[1] == 0 && v[2] < 2800) ||
	      ( v[0] == 6 && v[1] == 0 && v[2] == 2800 && v[3] < 1506 ) ) { {
 hotfix_add_report('\nPath : '+share-'$'+':'+dll+
                   '\nVersion : '+join(v, sep:'.')+
                   '\nShould be : 6.0.2800.1506\n', bulletin:bulletin, kb:kb);
 set_kb_item(name:"SMB/Missing/MS05-030", value:TRUE);
 hotfix_security_hole();
 }flag ++; }

	  if( ( v[0] == 6 && v[1] == 0 && v[2] > 2800 && v[2] < 3790 ) ||
	      ( v[0] == 6 && v[1] == 0 && v[2] == 3790 && v[3] < 326 ) ) { {
 hotfix_add_report('\nPath : '+share-'$'+':'+dll+
                   '\nVersion : '+join(v, sep:'.')+
                   '\nShould be : 6.0.3790.326\n', bulletin:bulletin, kb:kb);
 set_kb_item(name:"SMB/Missing/MS05-030", value:TRUE);
 hotfix_security_hole();
 }flag ++; }
	}

 if ( flag == 0 ) set_kb_item(name:"SMB/897715", value:TRUE);
}

NetUseDel();

Oval

  • accepted2005-10-12T05:49:00.000-04:00
    classvulnerability
    contributors
    nameIngrid Skoog
    organizationThe MITRE Corporation
    descriptionStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.
    familywindows
    idoval:org.mitre.oval:def:1088
    statusaccepted
    submitted2005-08-16T04:00:00.000-04:00
    titleMicrosoft Outlook Express 5.5,SP2 News Reading Vulnerability
    version64
  • accepted2005-10-12T05:49:00.000-04:00
    classvulnerability
    contributors
    nameIngrid Skoog
    organizationThe MITRE Corporation
    descriptionStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.
    familywindows
    idoval:org.mitre.oval:def:167
    statusaccepted
    submitted2005-08-16T04:00:00.000-04:00
    titleMicrosoft Outlook Express 6,2003 News Reading Vulnerability
    version64
  • accepted2015-08-10T04:01:12.929-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Outlook Express 6 SP1 is installed.
    ovaloval:org.mitre.oval:def:488
    descriptionStack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.
    familywindows
    idoval:org.mitre.oval:def:989
    statusaccepted
    submitted2005-08-16T04:00:00.000-04:00
    titleMicrosoft Outlook Express 6,SP1 News Reading Vulnerability
    version66

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83025/ms05_030_nntp.rb.txt
idPACKETSTORM:83025
last seen2016-12-05
published2009-11-26
reporterMC
sourcehttps://packetstormsecurity.com/files/83025/Microsoft-Outlook-Express-NNTP-Response-Parsing-Buffer-Overflow.html
titleMicrosoft Outlook Express NNTP Response Parsing Buffer Overflow

Saint

bid13951
descriptionOutlook Express NNTP LIST buffer overflow
idmail_client_msoenntp
osvdb17306
titleoutlook_express_nntp
typeclient

Seebug

bulletinFamilyexploit
description<p><strong>漏洞描述:</strong></p><p>Microsoft Outlook Express是Microsoft Windows操作系统捆绑的邮件和新闻组客户端。</p><p>Microsoft Outlook Express的新闻阅读功能中存在远程缓冲区溢出漏洞,可能允许攻击者以当前用户的权限执行任意代码。 具体的说,在发布LIST命令后解析NNTP服务器响应时会触发这个漏洞。位于C:\Program Files\Outlook Express\MSOE.DLL的MSOE.dll中的一个例程中存在栈溢出。以下地址和偏移基于Microsoft Windows 2000 SP4捆绑的MSOE.DLL 5.50.4927.1200版本。在解析以下形式的服务器响应时:alt.12hr 0&lt;LONG STRING&gt;000001325 0000001322 y FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR用到了各种字符串解析循环调用CharNext()和IsSpace()例程来判断空白字符所确定字段的长度,由StrCpy()将FIELD2拷贝到静态的16字节栈缓冲区:</p><p>SUB_6AED247A() ... </p><p>6AED268B mov eax, ebx ; eax = start of FIELD2 </p><p>6AED268D lea edi, [ebp+buff] ; edi = stack variable </p><p>6AED2690 sub eax, esi ; esi = end of FIELD2 </p><p>6AED2692 mov ecx, eax ; ecx = length of FIELD2 </p><p>6AED2694 mov edx, ecx ; edx = length of FIELD2 </p><p>6AED2696 shr ecx, 2 </p><p>6AED2699 rep movsd ; *** overflow occurs here </p><p>6AED269B mov ecx, edx </p><p>6AED269D and ecx, 3 </p><p>6AED26A0 rep movsb ; copy remaining bytes </p><p>6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string</p><p>然后将拷贝的缓冲区传送给例程StrToIntA()。位于0x6AED2699的rep movsd指令可以导致栈溢出。攻击者可以覆盖栈存储的SEH来改变执行流,最终导致执行任意代码。</p><p><strong>漏洞影响:</strong></p><p>受影响的软件:</p><p>&nbsp;•Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4</p><p>•Microsoft Windows XP Service Pack 1</p><p>•Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium):</p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)</p><p>•Microsoft Windows Server 2003(用于基于 Itanium 的系统)</p><p>•Microsoft Windows Server 2003•Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE)、Microsoft Windows Millennium Edition (ME) </p><p>受影响的组件:</p><p>&nbsp;•在 Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 上的 Outlook Express 5.5 Service Pack 2</p><p>•在 Microsoft Windows 2000 Service Pack 3、Microsoft Windows 2000 Service Pack 4 或 Microsoft Windows XP Service Pack 1 上的 Outlook Express 6 Service Pack 1</p><p>•用于 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) 的 Outlook Express 6 Service Pack 1</p><p>•用于 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) 的 Outlook Express 6 </p><p>•用于 Microsoft Windows Server 2003(用于基于 Itanium 的系统)的 Outlook Express 6 </p><p>•用于 Microsoft Windows Server 2003 的 Outlook Express 6 </p><p>不受影响的软件:</p><p>&nbsp;•Microsoft Windows Server 2003 Service Pack 1</p><p>•Microsoft Windows Server 2003 with SP1(用于基于 Itanium 的系统)</p><p>•Microsoft Windows Server 2003 x64 Edition</p><p>•Microsoft Windows XP Professional x64 Edition</p><p>•Microsoft Windows XP Service Pack 2</p><p>&nbsp;</p><p><strong>CVE-ID:</strong>CVE-2005-1213 </p><p>&nbsp;</p><p><strong>CNNVD-ID:</strong>CNNVD-200506-126</p><p>&nbsp;</p><p><strong>CNVD-ID:</strong>CNVD-2005-2133 </p><p>&nbsp;</p><p><strong>解决方案:</strong></p><p>Microsoft</p><p>&nbsp;---------</p><p>&nbsp;Microsoft已经为此发布了一个安全公告(MS05-030)以及相应补丁:MS05-030:Cumulative Security Update in Outlook Express (897715)链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx" rel="nofollow">http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx</a></p>
idSSV:13664
last seen2017-11-19
modified2005-06-24
published2005-06-24
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-13664
titleMS Outlook Express NNTP Buffer Overflow Exploit (MS05-030)

References