[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]

Subject: UKNM: FW: Sega Dreamcast Web Browser Email Security Issue
From: Ian Betteridge
Date: Thu, 16 Sep 1999 00:38:23 +0100

Perhaps a little techie for this list, but if Sega is serious about using
Dreamcast as an e-commerce platform it'll have to start getting on top of
issue's like this...
Ian Betteridge News Editor, MacUser UK
W: 0171 917 3872 M: 07957 235463
H: 01273 695488

>From: HIGH TIMES <hight1mezatHOTMAIL [dot] COM>
>Subject: Sega Dreamcast Web Browser Email Security Issue
>Date: Tue, Sep 14, 1999, 3:47 pm

> Sega Dreamcast Web Browser Advisory
> Author : John Bissell a.k.a. hight1mes
> Vulnerable : Sega Dreamcast
> Impact : Unable to check and manage email threw SDWB
> Release Date: September 13, 1999
> Status : Sega has been contacted
> Contact : royalbluatsilcom [dot] com
> Homepage : http://www.silcom.com/~royalblu/
> Background:
> ===========
> The Sega Dreamcast Web Browser software that comes packaged in with every
> Dreamcast now allows the gamer for the first time ever to connect to the
> Internet via a console system. Unfortunately Sega has delivered the general
> public a very insecure web browser for browsing the web.
> SDWB (Sega Dreamcast Web Browser) now only can browse the web but can send
> and receive email by clicking on the Mail icon from the command cluster.
> This is where we find the security problem in the SDWB mailbox.
> Problem Description:
> ====================
> I thought to myself hmm now that console systems can connect to the
> Internet there must be potential for a for insecurity. Sure enough early
> into my investigation of the SDWB I found you can lock out a email account.
> The problem can be exploited in the SDWB itself or any other email client
> that supports huge a huge subject when composing a message. I will now break
> down the exploit into a list of easy steps using the SDWB.
> 1.) Start up the Sega Dreamcast Web Browser and connect to the Internet.
> 2.) Send a message with a huge and i mean huge subject line.
> Thats it! Now where that message was sent to no email can be viewed or
> managed threw the SDWB. When the victim SDWB user trys to read his email
> account he will get a error message reporting quote "An internal error has
> occurred. Please contact Sega."
> This sort of problem exists in alot of software across the globe due to
> insufficient bounds checking... Sigh, when will we learn to code securely!
> Solution:
> =========
> To fix this internal error when SDWB trys to access your email account you
> must use email software like Outlook Express, Eudora, etc on a computer to
> delete the evil message(s) with huge subjects.
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
UKNM is sponsored by Excite UK, visit us at http://www.excite.co.uk.
Email Khalil Ibrahimi khalilatexcitecorp [dot] com (mailto:khalilatexcitecorp [dot] com) to advertise on Excite.
Change your UKNM subscription use http://www.chinwag.com/uknm.html

[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]