UKNM: FW: Sega Dreamcast Web Browser Email Security Issue

[Ian Betteridge]

Perhaps a little techie for this list, but if Sega is serious about using 

Dreamcast as an e-commerce platform it'll have to start getting on top of

issue's like this...

--

---------------------------------------

Ian Betteridge  News Editor, MacUser UK

W: 0171 917 3872        M: 07957 235463

             H: 01273 695488


----------

>

From: HIGH TIMES <hight1mezHOTMAIL [dot] COM>

>

To: BUGTRAQSECURITYFOCUS [dot] COM

>Subject: Sega Dreamcast Web Browser Email Security Issue

>Date: Tue, Sep 14, 1999, 3:47 pm

>


> Sega Dreamcast Web Browser Advisory

>

> Author      : John Bissell a.k.a. hight1mes

> Vulnerable  : Sega Dreamcast

> Impact      : Unable to check and manage email threw SDWB

> Release Date: September 13, 1999

> Status      : Sega has been contacted

>

Contact : royalblusilcom [dot] com

> Homepage    : http://www.silcom.com/~royalblu/

>

> Background:

> ===========

>

>  The Sega Dreamcast Web Browser software that comes packaged in with every

> Dreamcast now allows the gamer for the first time ever to connect to the

> Internet via a console system. Unfortunately Sega has delivered the general

> public a very insecure web browser for browsing the web.

>

>  SDWB (Sega Dreamcast Web Browser) now only can browse the web but can send

> and receive email by clicking on the Mail icon from the command cluster.

> This is where we find the security problem in the SDWB mailbox.

>

> Problem Description:

> ====================

>

>  I thought to myself hmm now that console systems can connect to the

> Internet there must be potential for a for insecurity. Sure enough early

> into my investigation of the SDWB I found you can lock out a email account.

>

>  The problem can be exploited in the SDWB itself or any other email client

> that supports huge a huge subject when composing a message. I will now break

> down the exploit into a list of easy steps using the SDWB.

>

> 1.) Start up the Sega Dreamcast Web Browser and connect to the Internet.

> 2.) Send a message with a huge and i mean huge subject line.

>

>  Thats it! Now where that message was sent to no email can be viewed or

> managed threw the SDWB. When the victim SDWB user trys to read his email

> account he will get a error message reporting quote "An internal error has

> occurred. Please contact Sega."

>

>  This sort of problem exists in alot of software across the globe due to

> insufficient bounds checking... Sigh, when will we learn to code securely!

>

> Solution:

> =========

>

>  To fix this internal error when SDWB trys to access your email account you

> must use email software like Outlook Express, Eudora, etc on a computer to

> delete the evil message(s) with huge subjects.

> ______________________________________________________

> Get Your Private, Free Email at http://www.hotmail.com

********************

UKNM is sponsored by Excite UK, visit us at http://www.excite.co.uk.

Email Khalil Ibrahimi

khalilexcitecorp [dot] com (mailto:khalilexcitecorp [dot] com)

 to advertise on Excite.

********************

Change your UKNM subscription use http://www.chinwag.com/uknm.html