OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] Kmail <= 1.9.1 (latest) DOS

From: the.soylent (the.soylentgmail.com)
Date: Sun Oct 08 2006 - 07:10:08 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi :)
crashed not only kmail, but complete x-server (gnome) (does restart) ;)
lates firefox even with java-script block.. -> xserver-crash
even gedit seems affected -> xserver crash after ~1 min 100%cpu

mmh.. no idee, but interesting ;)

cheers soylent

2.6.15-27-686
gnome: 2.12.2.3
X: 7.0.0

nnp schrieb:
> Found this while fuzzing for a different type of vuln. For the life of
> me I cant do anything useful with this bug so here it is. I dont have
> the time to narrow down what causes the crash, if anyone manages to

> get code execution from it, be a dear and let me know ;)
>
> I am using KDE 3.5.2 and kmail 1.9.1.
>
> This bug requires HTML to be enabled (Settings -> Configure Kmail ->
> Security -> and tick Prefer HTML to Plain Text.).
>
> (email that causes crash) http://silenthack.co.uk/nnp/exploits/kmail/crashMail
>
> When the mail is viewed it should crash immediately and give you a
> stack trace similar to
>
> (no debugging symbols found)
> Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
> [KCrash handler]
> #6 0xffffe410 in __kernel_vsyscall ()
> #7 0xb787b9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
> #8 0xb787d2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
> #9 0xb7757cf9 in kdbgstream::flush () from /usr/lib/libkdecore.so.4
> #10 0xb7bf7cda in endl () from /usr/lib/libkmailprivate.so
> #11 0xb5be724e in KIO::Scheduler::_scheduleJob () from /usr/lib/libkio.so.4
> #12 0xb6cdaa17 in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
> from /usr/lib/libkhtml.so.4
> #13 0xb6cdad1a in khtml_jpeg_source_mgr::khtml_jpeg_source_mgr ()
> from /usr/lib/libkhtml.so.4
> #14 0xb7117eb9 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
> #15 0xb7118954 in QObject::activate_signal () from /usr/lib/libqt-mt.so.3
> #16 0xb74ad39e in QTimer::timeout () from /usr/lib/libqt-mt.so.3
> #17 0xb713ceb1 in QTimer::event () from /usr/lib/libqt-mt.so.3
> #18 0xb70ade56 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
> #19 0xb70ae052 in QApplication::notify () from /usr/lib/libqt-mt.so.3
> #20 0xb77abd7d in KApplication::notify () from /usr/lib/libkdecore.so.4
> #21 0xb703f157 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
> #22 0xb709f843 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
> #23 0xb7052f67 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
> #24 0xb70c6947 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
> #25 0xb70c686a in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
> #26 0xb70ac965 in QApplication::exec () from /usr/lib/libqt-mt.so.3
> #27 0x0804a04b in ?? ()
> #28 0xbfe80938 in ?? ()
> #29 0xbfe80b24 in ?? ()
> #30 0x00000000 in ?? ()
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFFKOqgY86qEhC92cgRAgJRAJwLMhE0KYv9xc25xmPcmS1XW9yokgCXabPV
IiPg90pOqEzFLJebOleS6g==
=RDyh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/