OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Imail Web Service Remote DoS Attack v.2
From: Marc Maiffret (marcEEYE.COM)
Date: Thu Aug 17 2000 - 06:13:03 CDT


Imail Web Service Remote DoS Attack v.2

Release Date:
August 17, 2000

Systems Affected:
Ipswitch Imail 6.00 2-1

Description:
The following is a simple DoS we found while working on Retina's CHAM(Common
Hacking Attack Methods) HTTP auditing module which should be released within
the next two weeks within the new Retina 2.5.

There exists a remote Denial of Service in Ipswitch's Imail web services in
IMail 6.0. The problem arises in incorrect handling of HTTP 1.1 Host header
portions of requests. By using a long Host: header, you can cause a single
thread to crash. When this thread crashes, it does not free it's resources,
allowing an attacker to repeat this process to use massive amounts of memory
on the server.

Details:
The problem is in the Host: processing. Sending anywhere over 500 bytes
will cause the thread to overwrite it's Base pointer, killing operations on
that thread. Resources are not freed for the thread, however, so this can
cause the attacked server to use massive amounts of memory. After a while,
this program will cause serious problems for the server. Some of the
problems we have experienced are: systems stopped responding to mouse
clicks, systems completely freezing etc...

The attack:
 GET / HTTP/1.1
 Host: AAAAAAAA(x500)

The Attack Program:
We have created a sample attack program that can quickly cause massive
amounts of memory to be used by the attacked server.

The crashimail.exe example should be called as follows:
 crashimail hostname port numthreads
 The hostname is the host you wish to attack
 the port is a port of the Imail's Web service, Imail defaults to 8181 or
8383
 numthreads is the number of concurrent threads to attack with

You can download this sample program and source from:
http://www.eeye.com/html/advisories/threadcrashimail.zip

Vendor Status:
We would like to thank IPSwitch (www.ipswitch.com) for the way they handled
this vulnerability in a timely fashion.
A fix for this can be found at,
http://www.ipswitch.com/support/patches-upgrades.html#IMail.

For more information about Retina and its CHAM (Common Hacking Attack
Methods) technology, visit http://www.eeye.com/retina

Copyright (c) 1998-2000 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alerteEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
mail:infoeEye.com
http://www.eEye.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net