NUL Character in message body locks up Outlook/Outlook Express

Type securityvulns
Reporter Securityvulns
Modified 2004-04-14T00:00:00



A number of Microsoft mail programs fail when they attempt to download a message containing ASCII NUL in the message body. The clients we tested are:

Outlook Express 6.00.2800.1106 Outlook 2002 (10.2627.3501) SP-1 Outlook 2003 (11.5608.5606)

Once the client attempts to download the particular message, the "Sending/Receiving" email dialog locks up and can not be closed. The next attempt to download email will also fail.

Watching on a packet tracer shows that all clients lock up after the body of the RETR response has been sent. Presumably they can't see the <CRLF>.<CRLF> after the NUL character. Any mail after the message can not be retrieved until the NUL-containing email is removed from the spool manually.

The following Python script produces the problem:

import smtplib from_address = "" to_address = "" message = "Before\r\n\000\r\nAfter" smtp = smtplib.SMTP("localhost") smtp.set_debuglevel(1) smtp.sendmail(from_address, [to_address], message) smtp.quit()

I've quickly looked through the SMTP and POP3 RFC's and found nothing that prohibits this kind of email message. The messages get through unaltered on recent versions of qmail and postfix.

Unfortunately I'm not in a position to test the IMAP support in Outlook for this bug, and my searches for any prior information on it have come back with nothing.

Regards, Ben Rampling

Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <> for certification details and <> for conference information. Become TICSA certified and see what happens!