NUL Character in message body locks up Outlook/Outlook Express

From: Ben Rampling (benr_at_MEMO.COM.AU)
Date: 04/14/04

Next message: Mad|Es02: "Assembler snippet (Re: Suspicious WebDAV Traffic)"

Previous message: Paul Szabo: "Eudora 6.0.3 nested MIME DoS"
Next in thread: Will Dormann: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Reply: Will Dormann: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Maybe reply: Boring, Andrew: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Maybe reply: Jeff Stephenson: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Maybe reply: Chris Palmer: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 14 Apr 2004 10:42:29 +0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,

A number of Microsoft mail programs fail when they attempt to download a
message containing ASCII NUL in the message body. The clients we tested
are:

Outlook Express 6.00.2800.1106
Outlook 2002 (10.2627.3501) SP-1
Outlook 2003 (11.5608.5606)

Once the client attempts to download the particular message, the
"Sending/Receiving" email dialog locks up and can not be closed. The
next attempt to download email will also fail.

Watching on a packet tracer shows that all clients lock up after the
body of the RETR response has been sent. Presumably they can't see the
<CRLF>.<CRLF> after the NUL character. Any mail after the message can
not be retrieved until the NUL-containing email is removed from the
spool manually.

The following Python script produces the problem:

import smtplib
from_address = "nobody@microsoft.com"
to_address = "nobody@microsoft.com"
message = "Before\r\n\000\r\nAfter"
smtp = smtplib.SMTP("localhost")
smtp.set_debuglevel(1)
smtp.sendmail(from_address, [to_address], message)
smtp.quit()

I've quickly looked through the SMTP and POP3 RFC's and found nothing
that prohibits this kind of email message. The messages get through
unaltered on recent versions of qmail and postfix.

Unfortunately I'm not in a position to test the IMAP support in Outlook
for this bug, and my searches for any prior information on it have come
back with nothing.

Regards,
Ben Rampling

-----
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
-----

Next message: Mad|Es02: "Assembler snippet (Re: Suspicious WebDAV Traffic)"

Previous message: Paul Szabo: "Eudora 6.0.3 nested MIME DoS"
Next in thread: Will Dormann: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Reply: Will Dormann: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Maybe reply: Boring, Andrew: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Maybe reply: Jeff Stephenson: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Maybe reply: Chris Palmer: "Re: NUL Character in message body locks up Outlook/Outlook Express"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]