Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Outlook Express Win98 bug

From: miquels () CISTRON NL (Miquel van Smoorenburg)
Date: Tue, 11 May 1999 10:58:41 +0200

There is a bug in Outlook Express delivered with Windows '98, at least
version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1)

Windows '95 updated with MSIE 4.01 has Outlook Express 4.72.3612.1700,
which doesn't show the problem. OE from MSIE3 and MSIE5 don't have the
problem either. There might be versions of MSIE4 included with Windows
'98 that don't show the problem either, but I don't have a stack of
Windows CDs to test against.

We have talked to Microsoft NL about this, tracking number S2134 T6142.
However they either deny there is a bug ("sorry sir, this product has
been available for a year now so there cannot be any bugs in it") or
they do not understand what we are talking about. They also claim to
have not received any mail we sent to them, so I am giving up on that.
We did send them this bug report by fax, perhaps that technology is
stable enough to work for them, I don't know.

Description of the problem:

A dot on a single line means EOM in the POP3 protocol. If a message
contains that it must be escaped by adding an extra dot, so we have 2
dots on a single line - which is OK. However if on the TCP level the
line after this double-dot crosses over to the next packet, Outlook
Express will interpret the double-dot as a single dot, switching back to
POP3 command mode and interpreting the rest of the message as a response
from the POP3 server. Result is an error message and usually a hanging
POP3 session.

Perhaps it's not really a bug in Outlook, but the Windows I/O library
or the TCP implementation.. which is scary.

So at the TCP packet level it looks like this:

packet1: [message data]
packet1: \r\n..\r\nthis is a line that
packet2: continues in the next packet

The double-dot on the 2nd line will be interpreted as a single dot.

Include a few thousand lines like this in an email and the bug will trigger:

So
.
this
.
might
.
actually
.
cause
.
the
.
bug
.
with
.
some
.
luck
.
repeat
.
until
.
three
.
times
.
max
.
mtu
.
of
.
1500


Mike.
--
Indifference will certainly be the downfall of mankind, but who cares?
Previous By Date Next
Previous By Thread Next

Current thread: