Someone at work just forwarded this to me. There is a denial of service attack that
could shut down an IMail server with a bit of work. Anyone that is a likely target of
hackers should get the patch.
-Scott
-----Original Message-----
From: Marc Maiffret [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 17, 2000 5:41 AM
To: [EMAIL PROTECTED]
Subject: Imail Web Service Remote DoS Attack v.2
Imail Web Service Remote DoS Attack v.2
Release Date:
August 17, 2000
Systems Affected:
Ipswitch Imail 6.00 2-1
Description:
The following is a simple DoS we found while working on Retina's CHAM(Common
Hacking Attack Methods) HTTP auditing module which should be released within
the next two weeks within the new Retina 2.5.
There exists a remote Denial of Service in Ipswitch's Imail web services in
IMail 6.0. The problem arises in incorrect handling of HTTP 1.1 Host header
portions of requests. By using a long Host: header, you can cause a single
thread to crash. When this thread crashes, it does not free it's resources,
allowing an attacker to repeat this process to use massive amounts of memory
on the server.
Details:
The problem is in the Host: processing. Sending anywhere over 500 bytes
will cause the thread to overwrite it's Base pointer, killing operations on
that thread. Resources are not freed for the thread, however, so this can
cause the attacked server to use massive amounts of memory. After a while,
this program will cause serious problems for the server. Some of the
problems we have experienced are: systems stopped responding to mouse
clicks, systems completely freezing etc...
The attack:
GET / HTTP/1.1
Host: AAAAAAAA(x500)
The Attack Program:
We have created a sample attack program that can quickly cause massive
amounts of memory to be used by the attacked server.
The crashimail.exe example should be called as follows:
crashimail hostname port numthreads
The hostname is the host you wish to attack
the port is a port of the Imail's Web service, Imail defaults to 8181 or
8383
numthreads is the number of concurrent threads to attack with
You can download this sample program and source from:
http://www.eeye.com/html/advisories/threadcrashimail.zip
Vendor Status:
We would like to thank IPSwitch (www.ipswitch.com) for the way they handled
this vulnerability in a timely fashion.
A fix for this can be found at,
http://www.ipswitch.com/support/patches-upgrades.html#IMail.
For more information about Retina and its CHAM (Common Hacking Attack
Methods) technology, visit http://www.eeye.com/retina
Copyright (c) 1998-2000 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
mail:[EMAIL PROTECTED]
http://www.eEye.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
