[7456] in bugtraq
Re: netscape mail overflow(another one)
daemon@ATHENA.MIT.EDU (Brett Glass)
Wed Jul 29 13:01:29 1998
Date: Tue, 28 Jul 1998 23:49:04 -0600
Reply-To: Brett Glass <brett@LARIAT.ORG>
From: Brett Glass <brett@LARIAT.ORG>
X-To: Paul Boehm <paul@BOEHM.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980728202141.B15055@boehm.org>
It makes perfect sense that any header field could overflow a limited buffer.
I'd assumed that developers would have the sense to check ALL of the buffers
used to store headers, but maybe this should be pointed out to them, just to
make sure.
We may see exploits based on bugs in UUDECODE and BinHex decoders in mailers
as well. I'm sure they're there given the overall low quality of the code
that these companies are generating (sigh).
--Brett Glass
At 08:21 PM 7/28/98 +0200, Paul Boehm wrote:
>Hi,
>netscape mail crashes when trying to the attachment
>from the following pseudo mime mail:
>
>From: Paul Boehm <paul@boehm.org>
>To: paul@boehm.org
>Subject: test
>Mime-Version: 1.0
>Content-Type: AAAAAAAAAAAAAAAAAAAAAA...; boundary=ABC123
>--ABC123
>Content-Type: text/plain; charset=us-ascii
>
>test123
>
>--ABC123
>Content-Type: application/octet-stream
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment; filename="AA"
>
>H4sIAA7jvDUAA+3OOQ6EQBBD0Y45hY9QJejiPI1EBhJiuT+LiEeaAEj+SxzYgdfR09PcLMyU
>JLURdzZX3hopcm49vD6Ks/acZI8/O2zLWmYpTWUbfu/6+Y0/L+uGUn39AQAAAAAAAAAAAAAA
>AADwvx2CTC7aACgAAA==
>
>--ABC--
>
>i suppose this is exploitable, but i don't really know.
>i only tested this with win95 netscape 4.05.
>
>bye,
> paul
>
>--
>
>[ Paul S. Boehm | paul@boehm.priv.at | http://paul.boehm.org/ | infected@irc ]
>
>Money is what gives a programmer his resources. It's an exchange system created
>by human beings. It surrounds us. Works for us, binds the economy together.
>
