lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <28749c0e0610060827j506990fcua7a339b3f71c1069@mail.gmail.com>
Date: Fri, 6 Oct 2006 16:27:25 +0100
From: nnp <version5@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Kmail <= 1.9.1 (latest) DOS

Found this while fuzzing for a different type of vuln. For the life of
me I cant do anything useful with this bug so here it is. I dont have
the time to narrow down what causes the crash, if anyone manages to
get code execution from it, be a dear and let me know ;)

I am using KDE 3.5.2 and kmail 1.9.1.

This bug requires HTML to be enabled (Settings -> Configure Kmail ->
Security -> and tick Prefer HTML to Plain Text.).

(email that causes crash) http://silenthack.co.uk/nnp/exploits/kmail/crashMail

When the mail is viewed it should crash immediately and give you a
stack trace similar to

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
[KCrash handler]
#6  0xffffe410 in __kernel_vsyscall ()
#7  0xb787b9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#8  0xb787d2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#9  0xb7757cf9 in kdbgstream::flush () from /usr/lib/libkdecore.so.4
#10 0xb7bf7cda in endl () from /usr/lib/libkmailprivate.so
#11 0xb5be724e in KIO::Scheduler::_scheduleJob () from /usr/lib/libkio.so.4
#12 0xb6cdaa17 in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
  from /usr/lib/libkhtml.so.4
#13 0xb6cdad1a in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
  from /usr/lib/libkhtml.so.4
#14 0xb7117eb9 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#15 0xb7118954 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#16 0xb74ad39e in QTimer::timeout () from /usr/lib/libqt-mt.so.3
#17 0xb713ceb1 in QTimer::event () from /usr/lib/libqt-mt.so.3
#18 0xb70ade56 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#19 0xb70ae052 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#20 0xb77abd7d in KApplication::notify () from /usr/lib/libkdecore.so.4
#21 0xb703f157 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#22 0xb709f843 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#23 0xb7052f67 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#24 0xb70c6947 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#25 0xb70c686a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#26 0xb70ac965 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#27 0x0804a04b in ?? ()
#28 0xbfe80938 in ?? ()
#29 0xbfe80b24 in ?? ()
#30 0x00000000 in ?? ()

-- 
http://silenthack.co.uk
http://smashthestack.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ