Message-Rendering Vulnerabilities in E-mail Readers
Richard Smith posted the following in a message to funsec this morning:
I’ve got some sort of bad email message in my POP3 inbox which Outlook 2003 is refusing to download. I’m not sure what the problem is with the message, but Outlook is complaining that it doesn’t have enough memory to process the message. See the attached screen shot.
However, I am now stuck because I can no longer read email from this account. I suspect the message is a spam message, so there are maybe other people in the same boat.
For the specific error message, see the screenshot from Richard’s report.
I have a copy of the original message, and can attest to the fact that it is severely malformed. The interesting part, however, is that the malformation does not appear to be what is to blame in this instance.
The recipients list on this particular e-mail contains hundreds of different e-mail aliases, and that appears to be what is causing problems. Outlook, in particular, appears to exhaust a limited-size heap when faced with such an e-mail message. The impact of that upon Outlook is quite severe, because messages aren’t removed from mail servers unless they are successfully written to the Outlook Inbox. This process fails when such a message is received due to the heap-exhaustion problem, and thus, the e-mail message remains on the server indefinitely. Outlook proceeds to re-download the message and fail to process it until it is deleted from the mail server where the attacked mailbox is hosted by some other means.
I’ve tried manual importation of local copies of the message into several mail readers and only one (Outlook Express) handled this in a semi-correct fashion unless the recipients list had been significantly shortened. The others all failed the import operation, but otherwise respond normally. It remains to be seen whether these clients can be caused to fail in a similar fashion to Outlook. At this point in time, I recommend filtering e-mail with exceedingly large recipient lists in the To or CC fields (say, 100 or more) and asking users to send such e-mails to large groups via blind carbon copy.
As I conduct more aggressive tests on other mail readers, I’ll post my results here.