Microsoft Outlook/Microsoft Exchange TNEF Decoding Remote Execution Vulnerability

Date Discovered: January 10, 2006

About

Microsoft Outlook clients, and Microsoft Exchange Server are prone to a remote execution vulnerability.

This vulnerability triggers when the applications decode a message containing a specially crafted TNEF MIME attachment. A remote hacker who successfully exploits this vulnerability can take full control of the system, if the user is currently logged on to an administrator account.

TNEF Decoding Vulnerability

Microsoft Exchange Servers and Microsoft Outlook clients use TNEF format when sending out messages that are in Rich Text Format (RTF). When Microsoft Exchange thinks another Microsoft email client received its message, it extracts all the formatting information and encodes it in a TNEF block. The message is sent in two parts, a text file without the formatting, and the formatting instructions in a TNEF block. The message and the TNEF block is then processed and reformatted by a Microsoft Email client. A specially crafted TNEF message can allow remote code execution when the target user opens a malicious email.

Vulnerable Platforms and Operating Systems

Microsoft BackOffice 4.5
Microsoft Excel 2002 SP3
Microsoft FrontPage 2002 SP3
Microsoft Office 2000 SP3
Microsoft Outlook 2002 SP3
Microsoft PowerPoint 2002 SP3
Microsoft Publisher 2002 SP3
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 SP1
Microsoft Windows NT 4.0 SP2
Microsoft Windows NT 4.0 SP3
Microsoft Windows NT 4.0 SP4
Microsoft Windows NT 4.0 SP5
Microsoft Windows NT 4.0 SP6
Microsoft Windows NT 4.0 SP6a
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1
Microsoft Word 2002 SP3

Vulnerable Components

Microsoft Exchange Server 5.0 SP2
Microsoft Exchange Server 5.0 SP1
Microsoft Exchange Server 5.0
Microsoft Exchange Server 5.5 SP4
Microsoft Exchange Server 5.5 SP3
Microsoft Exchange Server 5.5 SP2
Microsoft Exchange Server 5.5 SP1
Microsoft Exchange Server 5.5
Microsoft Exchange Server 2000 SP3
Microsoft Office 2000 SP3

Further Reading

• Symantec Description - http://www.sarc.com/avcenter/security/Content/16197.html
• Microsoft Security Bulletin MS06-003 - http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx

Credits

Discovered by John Heasman and Marc Litchfield of NGS Software.