News
Tech
Culture
Program
Hiring
News
Tech
Culture
Program
Hiring
Duplicate
News
Tech
Culture
Program
Hiring
🛑
CVE
Search
Documents
This vulnerability occurs in Outlook 2019 (16.0.12624.20424) installed on Korean Windows 10 1909 x64, codepage 949.
TLDR;
I have not been able to bypass aslr using this vulnerability, but I have written an outlook 2019 32bit exploit that pops up a calculator using the address of a system library that is fixed at boot time. and this vulnerability is a zero click vulnerability. If the account of a mail service other than the “outlook.com” account is linked with Outlook 2019 Using IMAP, it is triggered by receiving mail only.
First Bug
[OUTLMIME!CloseAllSockets+0x50804 Pseudo code]
The crash occurs, and the part where the vulnerability exists is as above. When the string of the parsed To header or From header is Mutibyte, the variable counting the remaining strings to be parsed is decreased by 2, and the integer underflow occurs by decreasing the variable by 2 when the variable is 1.
Second Bug
[OUTLMIME!CloseAllSockets+0x50804 Pseudo code]
Outlook CVE-2020-1349
This vulnerability occurs in Outlook 2019 (16.0.12624.20424) installed on Windows 10 1909 x64, Also This vulnerability is
zero click
vulnerability.
TLDR;
I found this bug using winafl fuzzer. This bug occured when parsing ms-tnef file. that attachement of eml file. vulnerable method read and using out-of-bounds data to vftable ptr. so, when attacker succeceful exploit this vulnerability triggers remote command execution.
Details
The size of the allocated heap is controlled by the user, but the vulnerability occurs because the index used in the method is a constant value that exceeds the size of the heap.
Outlook CVE-2020-1493
This vulnerability occurs in Outlook 2019 (16.0.13231.20262) installed on Windows 10 1909 x64
TLDR;
I found this bug using winafl fuzzer. This bug occured when parsing html contents. if attacker successfully executes this exploit, it can lead to remote command execution.
Details
When copying strings out of the ascii range among html contents, the corresponding string is replaced with 0xfffd. As a result, the size of the copied string doubles, so despite the same size of the src buffer and dst buffer, buffer overflow occurs.
Outlook CVE-2020-16947
