Another serious MSN Messenger flaw

[Ratman2]

From BugTraq:

Introduction to the flaw.
Msn Messenger is a popular Instant-Messaging client from
Microsoft. After the previous flaws regarding the privacy
of users another flaw is discovered. This flaw makes the
msn messenger client crash after receiving a misformated
font variable in the message header with instant messages.

How does it work exactly?
The Msn Messenger client works by sending a header with
every message. So every time a user wants to send a
message, it generates a header, containing information
about the font, the color of the message and some other
information.

The flaw
A normal header look something like this:

<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=MS%20Sans%20Serif; EF=B; CO=ff; CS=0;
PF=22

hey friend, how are you?
<end>

When we replace the font field with something very large.
Creating an overflaw the header will look like this:

<start>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-MMS-IM-Format: FN=Times%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
%20New%20%20%20%20%20%20%20%20%20%20
%20%20%20%20%20%20%20%20%20%20%20%20
Roman%20%20%20%20%20%20%20%20%20%20%20; EF=B; CO=ff; CS=0;
PF=22

hey friend, how are you?
<end>

As a result the Msn Messenger client will crash

this flaw only crashes the Msn Messenger from Microsoft.
Trillian is not affected.

This flaw is a severe danger. As it's not so hard for
hackers to use this flaw in their application.
Microsoft has been informed on this issue.


When are people GOING TO LEARN about buffer overflows? I wonder how many more holes exist in MSN Messenger?

[draziw]

Microsoft has the habit of hiring programmers right-out-of-college... unfortunately, it seems that college profs are just as good about not teaching/enforcing bounds and fencepost conditions on their assignments. So, well, I think as a result there's a lot of junior level (and probably mid-level or better) programmers out there that are not very good about "checking all possible extraneous conditions."

<rant>
Some people just don't seem to get it... it doesn't matter that you know the client and you know the server and both are "doing the right thing." If you supply enough of your program/system to the industry, some bozo will surely love to get in the middle of that conversation and supply you with data that you probably didn't expect...

It's kinda like "yeah, I know you wrote that webform and coded it well, even using javascript to validate your input - but my perl script knows nothing of your stupid webform and will supply your CGI with whatever the h*ll I tell it to."
</rant>

[cwk9]

lol Trillian is a better msn then msn is.

[JRoc]

I agree Trillian has only two holes, one of them I found out about and it seems to have a better GUI aswell as a better server for maintaining uptime.

[cybermagellan]

And that is why I don't program because I get in a rush and would forget things....

Cybermagellan your program just allowed someone to shut down the whole internet...what do you have to say?

see the things that can be avoided when you know your bounds!