[Full-Disclosure] Novell/Ximian Evolution multiple text attachments DoS

From: Kristian Hermansen (khermansen_at_ht-technology.com)
Date: 02/26/05

  • Next message: Syed Imran Ali: "RE: [Full-Disclosure] Awake a modem with AT commands" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 25 Feb 2005 19:45:32 -0500

    ==================
    =====Analysis=====
    ==================
    I just wanted to inform users of Ximian Evolution 2.0 software that
    there exists a way to temporarily DoS the local application and/or
    machine by attaching an absurd amount of .ezm files to a normal email.
    It seems that Evolution tries to interpret all these attachments and
    will actually display them if it determines they are text. The problem
    comes when Evolution is sent an email with say, greater than 1000 .ezm
    attachments, and the application tries to unroll them all before
    allowing you to do anything else within the application. These .ezm
    files are usually created by the EZ Mailing List Manager software, but
    one may custom design their own to execute the DoS attack. There seem
    to be other attachment types that can be used as well, as long as
    Evolution tries to unroll them for view in the message window.

    ==================
    ===Implications===
    ==================
    The attack is not sophisticated and Evolution will eventually interpret
    all of the attachments -- but until that time (very long), it would
    appear to the user that the application has crashed and is unresponsive.
    A future attack method that exploits flaws in the attachment renderer
    could be combined with this DoS attack to confuse the user while running
    some malicious script in the background.

    ==================
    =====Affected=====
    ==================
    Tested on Evolution <=2.0.2
    Note: higher versions may still be affected

    ==================
    =====Solution=====
    ==================
    Unknown for now. Will check out CVS, and if time, issue patch. 

    -- 
Kristian Hermansen <khermansen@ht-technology.com>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Syed Imran Ali: "RE: [Full-Disclosure] Awake a modem with AT commands"

    Relevant Pages

    • Re: Evolution 1.4
      ... Install Evolution 1.5.9... ... (My older evolution 1.4.5 didn't crashed in the past). ... You can see the attachments, ... > Enjoy the adventures of Linux ...
      (Fedora)
    • Re: Evolution Attachments icons problems
      ... > After an apt-get upgrade my evolution stop working, because a libsoup ... > find that attachments icons are not being show, and if a open new mail ...
      (Debian-User)
    • Re: GPG signatures and list mail
      ... >> I am not sure why I have this problem in Evolution and others do not. ... I think the mail server is some Microsoft product. ... > would be better if no one would have problems with GPG signing. ... Mozilla allows automatic inline display of attachments, ...
      (Fedora)
    • Re: bouncing mail in evolution
      ... >> Bounce is the process of transferring mail to another recipient just ... >> attachments are not forwarded with the message. ... >Evolution has several ways to forward a message. ... >used when forwarding email. ...
      (Fedora)
    • stripping attachments from mbox files
      ... I'm using evolution 1.4.6; having it read from spool file and everything ... others I've rec'd) - I want to keep the emails but strip out attachments I ...
      (comp.mail.misc)