Bugtraq mailing list archives
Re: GMail / Google Groups ESMTP software b0f
From: Heather Adkins <hadkins () google com>
Date: Tue, 8 Feb 2005 18:16:18 -0800
There is a very strong indication for this being a buffer overflow in a non-forking daemon, rather than a preemptive IDS strike. The threshold for the number of characters prompting an overflow; the delayed effect of an overflow; the fact it is affected only by the last EHLO; and the global unavailability of the service - all are a clear indication of a classic b0f related crash.
The actual nature of this flaw was a bug that resulted in memory exhaustion. What you uncovered was a DoS that didn't actually affect the security of the system, only the availability. We'd like to stress that this didn't affect our users as the resulting behavior merely delays email. Since we fixed the bug quickly, this didn't happen.
I notified Google today. It is my understanding that they do not routinely communicate with researchers or the community on security problems in their code, so I am not coordinating a response in any way. The problem may or may not be fixed by now.
We do read external communications sent to us and are greatly appreciative of any and all reports we receive. As for communicating with others I would hope that recent press articles would alleviate the misconception that we do not work with others. We even post to our company blog (http://www.google.com/googleblog/) about various incidents as necessary. So I am sadly disappointed that you were under the impression we wouldn't take action on your report. Just so that everyone knows, we have an official external email address for reports of this kind: security () google com
PS. If that trivial flaw is representative of the quality of server-side code beyond some of Google services, I would worry - but take this opinion with a grain of salt.
Gmail is a Beta product and we are still working out the kinks! -Heather -- Heather Adkins <hadkins () google com> Google Security Team
Current thread:
- GMail / Google Groups ESMTP software b0f Michal Zalewski (Feb 07)
- <Possible follow-ups>
- Re: GMail / Google Groups ESMTP software b0f Heather Adkins (Feb 09)