[VulnWatch] Kmail <= 1.9.1 (latest) DOS

From: nnp (version5@private)
Date: Tue Oct 10 2006 - 15:57:21 PDT

Previous message: Dragos Ruiu: "[VulnWatch] PacSec Hype Security Team: CGI.pm param injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Background:
Kmail is a HTML compatible email client that comes installed by
default with the KDE desktop. This DOS requires HTML parsing to be
enabled. This can be done in Kmail by going to  Settings -> Configure
Kmail ->Security -> and tick Prefer HTML to Plain Text.

Description:
Kmail can be crashed due to incorrectly parsing certain HTML elements.
In this case the <img> tag is incorrectly parsed if the src attribute
is a malformed file link.
A sample mail can be found here
http://silenthack.co.uk/nnp/exploits/kmail/imgCrash .
Viewing this will result in the program crashing and giving a stack
trace similar to the following

[KCrash handler]
#6  0xffffe410 in __kernel_vsyscall ()
#7  0xb787b9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#8  0xb787d2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#9  0xb7757cf9 in kdbgstream::flush () from /usr/lib/libkdecore.so.4
#10 0xb7bf7cda in endl () from /usr/lib/libkmailprivate.so
#11 0xb5be724e in KIO::Scheduler::_scheduleJob () from /usr/lib/libkio.so.4
#12 0xb6cdaa17 in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
 from /usr/lib/libkhtml.so.4
#13 0xb6cdad1a in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
 from /usr/lib/libkhtml.so.4
#14 0xb7117eb9 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#15 0xb7118954 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
#16 0xb74ad39e in QTimer::timeout () from /usr/lib/libqt-mt.so.3
#17 0xb713ceb1 in QTimer::event () from /usr/lib/libqt-mt.so.3
#18 0xb70ade56 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#19 0xb70ae052 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#20 0xb77abd7d in KApplication::notify () from /usr/lib/libkdecore.so.4
#21 0xb703f157 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#22 0xb709f843 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#23 0xb7052f67 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#24 0xb70c6947 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#25 0xb70c686a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#26 0xb70ac965 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#27 0x0804a04b in ?? ()
#28 0xbfe80938 in ?? ()
#29 0xbfe80b24 in ?? ()
#30 0x00000000 in ?? ()

Version information:
I am using KDE 3.5.2 and kmail 1.9.1.

Credits:
nnp

-- 
http://silenthack.co.uk
http://smashthestack.org

Previous message: Dragos Ruiu: "[VulnWatch] PacSec Hype Security Team: CGI.pm param injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Oct 13 2006 - 00:02:56 PDT