OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stan Bubrouski (stan_at_ccs.neu.edu)
Date: Sun Aug 04 2002 - 10:48:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Author: Stan Bubrouski
    Date: August 4, 2002
    Product: ArGoSoft Mail Server Pro
    Versions affected: 1.8.17 (current) and previous
    Severity: A malicious user or users could mount a DoS using mail
    forwarding and automatic responses to render the adminstrative
    console unresponsive and raise CPU usage to 100%.

    Problem: There are coding errors in ArGoSoft Mail Server Pro
    which allow for a Denial of Service attack to be initiated against the
    mail server by regularwebmail users. Let me first explain what the
    root of the problem is. If a user configures his/her web account to
    forward mail to themselves then sends a message to themselves,
    the following will be see on the administrative console:
    ...
    8/4/2002 11:22:42 AM - [ 39] Delivering to test
    8/4/2002 11:22:42 AM - [ 39] Forwarding mail to test
    8/4/2002 11:22:43 AM - [ 40] Delivering to test
    8/4/2002 11:22:43 AM - [ 40] Forwarding mail to test
    8/4/2002 11:22:44 AM - [ 41] Delivering to test
    8/4/2002 11:22:44 AM - [ 41] Forwarding mail to test
    8/4/2002 11:22:44 AM - [ 41] Too many Received headers. Mailing loop
    suspected
    8/4/2002 11:22:45 AM - [ 42] Delivering to test
    8/4/2002 11:22:45 AM - [ 42] Forwarding mail to test
    8/4/2002 11:22:45 AM - [ 42] Too many Received headers. Mailing loop
    suspected

    Notice how the server after about 20 retries realized there was a
    message loop. This is fine, even if you send a thousand messages
    like this, they do tie up the server a bit, but CPU usage does not
    go to 100% and the admin console is still responsive. If someone
    was tryign to attack like this, you'd still have the ability to go into
    the file menu and hit "Suspend Delivery". But if you configure you
    e-mail like above to forward mail to yourself and you setup an
    autoresponse for yourself in the web settings, now there is a problem:

    8/4/2002 11:27:22 AM - [ 47] Delivering to 2 recipients
    8/4/2002 11:27:22 AM - [ 47] Forwarding mail to test
    8/4/2002 11:27:22 AM - [ 47] Sending auto response...
    8/4/2002 11:27:22 AM - [ 47] Autoresponse from test has been relayed
    to test
    8/4/2002 11:27:22 AM - [ 48] Delivering to test
    8/4/2002 11:27:22 AM - [ 47] Forwarding mail to test
    8/4/2002 11:27:22 AM - [ 48] Forwarding mail to test
    8/4/2002 11:27:22 AM - [ 47] Sending auto response...
    8/4/2002 11:27:22 AM - [ 47] Autoresponse not sent, because it has
    been recently sent to test
    8/4/2002 11:27:22 AM - [ 48] Sending auto response...
    8/4/2002 11:27:22 AM - [ 48] Message seems to be autoresponse itself.
    Will ignore to avoid loops
    ...
    8/4/2002 11:28:37 AM - [ 133] Message seems to be autoresponse itself.
    Will ignore to avoid loops
    8/4/2002 11:28:38 AM - [ 134] Delivering to test
    8/4/2002 11:28:38 AM - [ 134] Forwarding mail to test
    8/4/2002 11:28:38 AM - [ 134] Sending auto response...
    8/4/2002 11:28:38 AM - [ 134] Autoresponse from test has been relayed
    to test
    8/4/2002 11:28:38 AM - [ 135] Delivering to test
    8/4/2002 11:28:38 AM - [ 135] Forwarding mail to test
    8/4/2002 11:28:38 AM - [ 135] Sending auto response...
    <turned off server to avoid problems>
    8/4/2002 11:28:39 AM - Web server stopped
    8/4/2002 11:28:39 AM - Finger server stopped
    8/4/2002 11:28:39 AM - POP3 server stopped
    8/4/2002 11:28:39 AM - SMTP server stopped

    This goes on and on and on... and this is just one message sent by
    user 'test' to user 'test' cc'ed to user 'test' with autoresponses turned
    on. Notice it no longer realizes the limit on forwarding the message.
    And what worse is that in the <install dir>/_outbox it keeps creating
    new queue files for the same e-mail. Essentially the loop has the
    side affect of creating many files in the outbox, and the number
    continue to increase over time. Using a single message, as far as
    I know will not create a DoS attack, but you can automate the
    sending of message through the webmail very easily, and thus you
    can do as I did in my testing and create a program to send
    thousands of these mails. What then happens is because the server
    does not know to stop trying to deliver each e-mail it keeps
    trying, clinging to 100% CPU and rendering the admin console
    unresponsive. It will also begin to fill the outbox with thousands
    and thousands of messages which continues to slowly increase
    over time. Clearly there is a problem in how it handles message
    loops after autoresponse is turned on. It seems to detect that
    the autoresponses are looping but forgets that the messages may
    be looping as well. It seems to be a logic error somewhere in
    the server code.

    Just one user doing this may not cause a DoS on all systems.
    On my system I had to setup to two users, like such:
    users: test and test2
    test forwards mail to test1
    test1 forwards mail to test
    test and test1 have autoresponses turned on.
    Sent flurry of messages from test to test, cc'ed to test1

    This scenario halts the admin console from responding because
    in all cases CPU usage should be stuck at 100%. You'll seee
    text flying down the console but you will have no way of stopping
    the deliveries which will continue to go on until you stop the server.

    No proof of concept tools are provided, because the vendor has
    not been contacted.