Author: Stan Bubrouski Date: August 4, 2002 Product: ArGoSoft Mail Server Pro Versions affected: 1.8.17 (current) and previous Severity: A malicious user or users could mount a DoS using mail forwarding and automatic responses to render the adminstrative console unresponsive and raise CPU usage to 100%. Problem: There are coding errors in ArGoSoft Mail Server Pro which allow for a Denial of Service attack to be initiated against the mail server by regularwebmail users. Let me first explain what the root of the problem is. If a user configures his/her web account to forward mail to themselves then sends a message to themselves, the following will be see on the administrative console: ... 8/4/2002 11:22:42 AM - [ 39] Delivering to test 8/4/2002 11:22:42 AM - [ 39] Forwarding mail to test 8/4/2002 11:22:43 AM - [ 40] Delivering to test 8/4/2002 11:22:43 AM - [ 40] Forwarding mail to test 8/4/2002 11:22:44 AM - [ 41] Delivering to test 8/4/2002 11:22:44 AM - [ 41] Forwarding mail to test 8/4/2002 11:22:44 AM - [ 41] Too many Received headers. Mailing loop suspected 8/4/2002 11:22:45 AM - [ 42] Delivering to test 8/4/2002 11:22:45 AM - [ 42] Forwarding mail to test 8/4/2002 11:22:45 AM - [ 42] Too many Received headers. Mailing loop suspected Notice how the server after about 20 retries realized there was a message loop. This is fine, even if you send a thousand messages like this, they do tie up the server a bit, but CPU usage does not go to 100% and the admin console is still responsive. If someone was tryign to attack like this, you'd still have the ability to go into the file menu and hit "Suspend Delivery". But if you configure you e-mail like above to forward mail to yourself and you setup an autoresponse for yourself in the web settings, now there is a problem: 8/4/2002 11:27:22 AM - [ 47] Delivering to 2 recipients 8/4/2002 11:27:22 AM - [ 47] Forwarding mail to test 8/4/2002 11:27:22 AM - [ 47] Sending auto response... 8/4/2002 11:27:22 AM - [ 47] Autoresponse from test has been relayed to test 8/4/2002 11:27:22 AM - [ 48] Delivering to test 8/4/2002 11:27:22 AM - [ 47] Forwarding mail to test 8/4/2002 11:27:22 AM - [ 48] Forwarding mail to test 8/4/2002 11:27:22 AM - [ 47] Sending auto response... 8/4/2002 11:27:22 AM - [ 47] Autoresponse not sent, because it has been recently sent to test 8/4/2002 11:27:22 AM - [ 48] Sending auto response... 8/4/2002 11:27:22 AM - [ 48] Message seems to be autoresponse itself. Will ignore to avoid loops ... 8/4/2002 11:28:37 AM - [ 133] Message seems to be autoresponse itself. Will ignore to avoid loops 8/4/2002 11:28:38 AM - [ 134] Delivering to test 8/4/2002 11:28:38 AM - [ 134] Forwarding mail to test 8/4/2002 11:28:38 AM - [ 134] Sending auto response... 8/4/2002 11:28:38 AM - [ 134] Autoresponse from test has been relayed to test 8/4/2002 11:28:38 AM - [ 135] Delivering to test 8/4/2002 11:28:38 AM - [ 135] Forwarding mail to test 8/4/2002 11:28:38 AM - [ 135] Sending auto response... <turned off server to avoid problems> 8/4/2002 11:28:39 AM - Web server stopped 8/4/2002 11:28:39 AM - Finger server stopped 8/4/2002 11:28:39 AM - POP3 server stopped 8/4/2002 11:28:39 AM - SMTP server stopped This goes on and on and on... and this is just one message sent by user 'test' to user 'test' cc'ed to user 'test' with autoresponses turned on. Notice it no longer realizes the limit on forwarding the message. And what worse is that in the <install dir>/_outbox it keeps creating new queue files for the same e-mail. Essentially the loop has the side affect of creating many files in the outbox, and the number continue to increase over time. Using a single message, as far as I know will not create a DoS attack, but you can automate the sending of message through the webmail very easily, and thus you can do as I did in my testing and create a program to send thousands of these mails. What then happens is because the server does not know to stop trying to deliver each e-mail it keeps trying, clinging to 100% CPU and rendering the admin console unresponsive. It will also begin to fill the outbox with thousands and thousands of messages which continues to slowly increase over time. Clearly there is a problem in how it handles message loops after autoresponse is turned on. It seems to detect that the autoresponses are looping but forgets that the messages may be looping as well. It seems to be a logic error somewhere in the server code. Just one user doing this may not cause a DoS on all systems. On my system I had to setup to two users, like such: users: test and test2 test forwards mail to test1 test1 forwards mail to test test and test1 have autoresponses turned on. Sent flurry of messages from test to test, cc'ed to test1 This scenario halts the admin console from responding because in all cases CPU usage should be stuck at 100%. You'll seee text flying down the console but you will have no way of stopping the deliveries which will continue to go on until you stop the server. No proof of concept tools are provided, because the vendor has not been contacted.
