Advisories
Imail Web Service Remote DoS Attack v.2
Release Date:
August 17, 2000
Vendor:
IPSwitch
Systems Affected:
Ipswitch Imail 6.00 2-1
Overview:
The following is a simple DoS we found while working on Retina's CHAM(Common Hacking Attack Methods) HTTP auditing module which should be released within the next two weeks within the new Retina 2.5.
There exists a remote Denial of Service in Ipswitch's Imail web services in IMail 6.0. The problem arises in incorrect handling of HTTP 1.1 Host header portions of requests. By using a long Host: header, you can cause a single thread to crash. When this thread crashes, it does not free it's resources, allowing an attacker to repeat this process to use massive amounts of memory on the server.
Technical Details:
The problem is in the Host: processing. Sending anywhere over 500 bytes will cause the thread to overwrite its Base pointer, killing operations on that thread. Resources are not freed for the thread, however, so this can cause the attacked server to use massive amounts of memory. After a while, this program will cause serious problems for the server. Some of the problems we have experienced are: systems stopped responding to mouse clicks, systems completely freezing etc.
The attack:
GET / HTTP/1.1
Host: AAAAAAAA(x500)
The Attack Program:
We have created a sample attack program that can quickly cause massive amounts of memory to be used by the attacked server.
The crashimail.exe example should be called as follows:
crashimail hostname port numthreads
The hostname is the host you wish to attack
the port is a port of the Imail's web service, Imail defaults to 8181 or 8383
numthreads is the number of concurrent threads to attack with
You can download this sample program and source from: http://www.eeye.com/html/advisories/threadcrashimail.zip
Vendor Status:
We would like to thank IPSwitch (www.ipswitch.com) for the way they handled this vulnerability in a timely fashion.
A fix for this can be found at, http://www.ipswitch.com/support/patches-upgrades.html#IMail.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
August 17, 2000
Vendor:
IPSwitch
Systems Affected:
Ipswitch Imail 6.00 2-1
Overview:
The following is a simple DoS we found while working on Retina's CHAM(Common Hacking Attack Methods) HTTP auditing module which should be released within the next two weeks within the new Retina 2.5.
There exists a remote Denial of Service in Ipswitch's Imail web services in IMail 6.0. The problem arises in incorrect handling of HTTP 1.1 Host header portions of requests. By using a long Host: header, you can cause a single thread to crash. When this thread crashes, it does not free it's resources, allowing an attacker to repeat this process to use massive amounts of memory on the server.
Technical Details:
The problem is in the Host: processing. Sending anywhere over 500 bytes will cause the thread to overwrite its Base pointer, killing operations on that thread. Resources are not freed for the thread, however, so this can cause the attacked server to use massive amounts of memory. After a while, this program will cause serious problems for the server. Some of the problems we have experienced are: systems stopped responding to mouse clicks, systems completely freezing etc.
The attack:
GET / HTTP/1.1
Host: AAAAAAAA(x500)
The Attack Program:
We have created a sample attack program that can quickly cause massive amounts of memory to be used by the attacked server.
The crashimail.exe example should be called as follows:
crashimail hostname port numthreads
The hostname is the host you wish to attack
the port is a port of the Imail's web service, Imail defaults to 8181 or 8383
numthreads is the number of concurrent threads to attack with
You can download this sample program and source from: http://www.eeye.com/html/advisories/threadcrashimail.zip
Vendor Status:
We would like to thank IPSwitch (www.ipswitch.com) for the way they handled this vulnerability in a timely fashion.
A fix for this can be found at, http://www.ipswitch.com/support/patches-upgrades.html#IMail.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
