Vulnerabilities > CVE-2005-1213 - Buffer Overflow vulnerability in Microsoft Outlook Express NNTP Response Parsing
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Exploit-Db
description MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030). CVE-2005-1213. Remote exploit for windows platform id EDB-ID:1066 last seen 2016-01-31 modified 2005-06-24 published 2005-06-24 reporter eyas source https://www.exploit-db.com/download/1066/ title Microsoft Outlook Express NNTP Buffer Overflow Exploit MS05-030 description Microsoft Outlook Express NNTP Response Parsing Buffer Overflow. CVE-2005-1213. Remote exploit for windows platform id EDB-ID:16379 last seen 2016-02-01 modified 2010-05-09 published 2010-05-09 reporter metasploit source https://www.exploit-db.com/download/16379/ title Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
Metasploit
description | This module exploits a stack buffer overflow in the news reader of Microsoft Outlook Express. |
id | MSF:EXPLOIT/WINDOWS/NNTP/MS05_030_NNTP |
last seen | 2019-12-16 |
modified | 2017-07-24 |
published | 2006-12-15 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1213 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/nntp/ms05_030_nntp.rb |
title | MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS05-030.NASL |
description | The remote host is running a version of Microsoft Outlook Express that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to lure a user to connect to a rogue NNTP (news) server sending malformed replies to several queries. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 18489 |
published | 2005-06-14 |
reporter | This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/18489 |
title | MS05-030: Vulnerability in Outlook Express Could Allow Remote Code Execution (897715) |
code |
|
Oval
accepted 2005-10-12T05:49:00.000-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation description Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. family windows id oval:org.mitre.oval:def:1088 status accepted submitted 2005-08-16T04:00:00.000-04:00 title Microsoft Outlook Express 5.5,SP2 News Reading Vulnerability version 64 accepted 2005-10-12T05:49:00.000-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation description Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. family windows id oval:org.mitre.oval:def:167 status accepted submitted 2005-08-16T04:00:00.000-04:00 title Microsoft Outlook Express 6,2003 News Reading Vulnerability version 64 accepted 2015-08-10T04:01:12.929-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Outlook Express 6 SP1 is installed. oval oval:org.mitre.oval:def:488 description Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. family windows id oval:org.mitre.oval:def:989 status accepted submitted 2005-08-16T04:00:00.000-04:00 title Microsoft Outlook Express 6,SP1 News Reading Vulnerability version 66
Packetstorm
data source | https://packetstormsecurity.com/files/download/83025/ms05_030_nntp.rb.txt |
id | PACKETSTORM:83025 |
last seen | 2016-12-05 |
published | 2009-11-26 |
reporter | MC |
source | https://packetstormsecurity.com/files/83025/Microsoft-Outlook-Express-NNTP-Response-Parsing-Buffer-Overflow.html |
title | Microsoft Outlook Express NNTP Response Parsing Buffer Overflow |
Saint
bid | 13951 |
description | Outlook Express NNTP LIST buffer overflow |
id | mail_client_msoenntp |
osvdb | 17306 |
title | outlook_express_nntp |
type | client |
Seebug
bulletinFamily | exploit |
description | <p><strong>漏洞描述:</strong></p><p>Microsoft Outlook Express是Microsoft Windows操作系统捆绑的邮件和新闻组客户端。</p><p>Microsoft Outlook Express的新闻阅读功能中存在远程缓冲区溢出漏洞,可能允许攻击者以当前用户的权限执行任意代码。 具体的说,在发布LIST命令后解析NNTP服务器响应时会触发这个漏洞。位于C:\Program Files\Outlook Express\MSOE.DLL的MSOE.dll中的一个例程中存在栈溢出。以下地址和偏移基于Microsoft Windows 2000 SP4捆绑的MSOE.DLL 5.50.4927.1200版本。在解析以下形式的服务器响应时:alt.12hr 0<LONG STRING>000001325 0000001322 y FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR用到了各种字符串解析循环调用CharNext()和IsSpace()例程来判断空白字符所确定字段的长度,由StrCpy()将FIELD2拷贝到静态的16字节栈缓冲区:</p><p>SUB_6AED247A() ... </p><p>6AED268B mov eax, ebx ; eax = start of FIELD2 </p><p>6AED268D lea edi, [ebp+buff] ; edi = stack variable </p><p>6AED2690 sub eax, esi ; esi = end of FIELD2 </p><p>6AED2692 mov ecx, eax ; ecx = length of FIELD2 </p><p>6AED2694 mov edx, ecx ; edx = length of FIELD2 </p><p>6AED2696 shr ecx, 2 </p><p>6AED2699 rep movsd ; *** overflow occurs here </p><p>6AED269B mov ecx, edx </p><p>6AED269D and ecx, 3 </p><p>6AED26A0 rep movsb ; copy remaining bytes </p><p>6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string</p><p>然后将拷贝的缓冲区传送给例程StrToIntA()。位于0x6AED2699的rep movsd指令可以导致栈溢出。攻击者可以覆盖栈存储的SEH来改变执行流,最终导致执行任意代码。</p><p><strong>漏洞影响:</strong></p><p>受影响的软件:</p><p> •Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4</p><p>•Microsoft Windows XP Service Pack 1</p><p>•Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium):</p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)</p><p>•Microsoft Windows Server 2003(用于基于 Itanium 的系统)</p><p>•Microsoft Windows Server 2003•Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE)、Microsoft Windows Millennium Edition (ME) </p><p>受影响的组件:</p><p> •在 Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 上的 Outlook Express 5.5 Service Pack 2</p><p>•在 Microsoft Windows 2000 Service Pack 3、Microsoft Windows 2000 Service Pack 4 或 Microsoft Windows XP Service Pack 1 上的 Outlook Express 6 Service Pack 1</p><p>•用于 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) 的 Outlook Express 6 Service Pack 1</p><p>•用于 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) 的 Outlook Express 6 </p><p>•用于 Microsoft Windows Server 2003(用于基于 Itanium 的系统)的 Outlook Express 6 </p><p>•用于 Microsoft Windows Server 2003 的 Outlook Express 6 </p><p>不受影响的软件:</p><p> •Microsoft Windows Server 2003 Service Pack 1</p><p>•Microsoft Windows Server 2003 with SP1(用于基于 Itanium 的系统)</p><p>•Microsoft Windows Server 2003 x64 Edition</p><p>•Microsoft Windows XP Professional x64 Edition</p><p>•Microsoft Windows XP Service Pack 2</p><p> </p><p><strong>CVE-ID:</strong>CVE-2005-1213 </p><p> </p><p><strong>CNNVD-ID:</strong>CNNVD-200506-126</p><p> </p><p><strong>CNVD-ID:</strong>CNVD-2005-2133 </p><p> </p><p><strong>解决方案:</strong></p><p>Microsoft</p><p> ---------</p><p> Microsoft已经为此发布了一个安全公告(MS05-030)以及相应补丁:MS05-030:Cumulative Security Update in Outlook Express (897715)链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx" rel="nofollow">http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx</a></p> |
id | SSV:13664 |
last seen | 2017-11-19 |
modified | 2005-06-24 |
published | 2005-06-24 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-13664 |
title | MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030) |
References
- http://securitytracker.com/id?1014200
- http://www.idefense.com/application/poi/display?id=263&type=vulnerabilities
- http://www.kb.cert.org/vuls/id/130614
- http://www.securityfocus.com/bid/13951
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-030
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1088
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A167
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A989