[VulnWatch] Kmail <= 1.9.1 (latest) DOS



Background:
Kmail is a HTML compatible email client that comes installed by
default with the KDE desktop. This DOS requires HTML parsing to be
enabled. This can be done in Kmail by going to Settings -> Configure
Kmail ->Security -> and tick Prefer HTML to Plain Text.

Description:
Kmail can be crashed due to incorrectly parsing certain HTML elements.
In this case the <img> tag is incorrectly parsed if the src attribute
is a malformed file link.
A sample mail can be found here
http://silenthack.co.uk/nnp/exploits/kmail/imgCrash .
Viewing this will result in the program crashing and giving a stack
trace similar to the following

[KCrash handler]
#6 0xffffe410 in __kernel_vsyscall ()
#7 0xb787b9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#8 0xb787d2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#9 0xb7757cf9 in kdbgstream::flush () from /usr/lib/libkdecore.so.4
#10 0xb7bf7cda in endl () from /usr/lib/libkmailprivate.so
#11 0xb5be724e in KIO::Scheduler::_scheduleJob () from /usr/lib/libkio.so.4
#12 0xb6cdaa17 in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
from /usr/lib/libkhtml.so.4
#13 0xb6cdad1a in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
from /usr/lib/libkhtml.so.4
#14 0xb7117eb9 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#15 0xb7118954 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#16 0xb74ad39e in QTimer::timeout () from /usr/lib/libqt-mt.so.3
#17 0xb713ceb1 in QTimer::event () from /usr/lib/libqt-mt.so.3
#18 0xb70ade56 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#19 0xb70ae052 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#20 0xb77abd7d in KApplication::notify () from /usr/lib/libkdecore.so.4
#21 0xb703f157 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#22 0xb709f843 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#23 0xb7052f67 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#24 0xb70c6947 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#25 0xb70c686a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#26 0xb70ac965 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#27 0x0804a04b in ?? ()
#28 0xbfe80938 in ?? ()
#29 0xbfe80b24 in ?? ()
#30 0x00000000 in ?? ()

Version information:
I am using KDE 3.5.2 and kmail 1.9.1.

Credits:
nnp

--
http://silenthack.co.uk
http://smashthestack.org



Relevant Pages

  • [Full-disclosure] Kmail <= 1.9.1 (table/frameset) DOS
    ... Kmail is a HTML compatible email client that comes installed by ... default with the KDE desktop. ... This DOS requires HTML parsing to be ... This can be done in Kmail by going to Settings -> Configure ...
    (Full-Disclosure)
  • Kmail <= 1.9.1 (table/frameset) DOS
    ... Kmail is a HTML compatible email client that comes installed by ... default with the KDE desktop. ... This DOS requires HTML parsing to be ... This can be done in Kmail by going to Settings -> Configure ...
    (Bugtraq)
  • [VulnWatch] Kmail <= 1.9.1 (table/frameset) DOS
    ... Kmail is a HTML compatible email client that comes installed by ... default with the KDE desktop. ... This DOS requires HTML parsing to be ... This can be done in Kmail by going to Settings -> Configure ...
    (VulnWatch)
  • Re: [SLE] Spam
    ... > not say that it is a html message which can be viewed if you click here ... behaviour of kmail is to display the text message. ... > as spam? ... Hard to say - depends on the emails you have on the system. ...
    (SuSE)
  • Re: [kde-linux] Kontact/KMail Behaviour Differences
    ... This occurs when KMail is invoked through the Kontact navigation panel. ... server, this way I can save in a central place some interresting mails. ... it displays the raw HTML ...
    (KDE)