[UNIX] POP3Lite Client Side DoS and Message Injection
From: support@securiteam.comDate: 09/04/01
- Previous message: support@securiteam.com: "[TOOL] WinPcap, the Free Packet Capture Architecture for Windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] POP3Lite Client Side DoS and Message Injection Message-Id: <20010904045819.BBB21138C0@mail.der-keiler.de> Date: Tue, 4 Sep 2001 06:58:19 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
POP3Lite Client Side DoS and Message Injection
------------------------------------------------------------------------
SUMMARY
<http://pop3lite.sourceforge.net/> POP3Lite is a modular POP3 daemon
developed to be fast, flexible and easy to use. It runs on Linux and *BSD.
POP3Lite fails to escape dots in messages it transfers to clients, and
thus makes clients popping their mail from a vulnerable POP3Lite
vulnerable to receiving arbitrary server responses embedded in carefully
crafted emails, possibly leading to arbitrary message injection, lost
messages, or otherwise annoying client misbehavior.
DETAILS
Vulnerable systems:
POP3Lite version 0.2.3b and prior
Immune systems:
POP3Lite version 0.2.4b and above
POP3Lite does not escape leading dots, as defined in RFC 1939. This means
that dots heading a line will be stripped away by the client. Worse,
message lines containing a single dot, i.e. the sequence CRLF.CRLF, are
correctly misinterpreted as end of message. The following line is then
interpreted as the answer from the server, causing most clients to abort
mail transfer believing an error occurred. Depending on the client, this
can result in no messages being deleted from the server, which is quite a
problem for a non-technical user to resolve on his own.
However, apart from clients choking on email containing dots, legit or
not, it is possible for an email sender to inject arbitrary server answers
into the POP3 session of the target. Assuming that the client will do the
usual RETR DELE RETR etc., one can cause subsequent messages to be deleted
from the server even though the client never received them. We can even
inject arbitrary messages into the client. This means we can actually fake
anything we want, including fully constructed headers, leaving no traces
at all in the header of the faked mail.
In combination with anonymous email services such as Mixmaster all this
can be done completely anonymously. Apart of our trojaned message,
truncated at the CRLF dot CRLF, there will be no traces. Make it look like
spam and the user will happily hit delete on his only piece of evidence
with intact, real headers.
To illustrate this, imagine this message being sent to a victim getting
mail from a vulnerable POP3Lite:
Date: Wed, 29 Aug 2001 19:31:41 -0400
From: "Cash Plan" <cashplan62@hotmail.com>
To: victim@victim.net
Subject: DAILY CASH PLAN & COMPLETE BUSINESS SYSTEM
Your DAILY CASH PLAN & COMPLETE BUSINESS SYSTEM
THIS IS REAL !! ON CD ROM!!
----FREE---------- FREE-------------- FREE--------------- FREE-----
Stealth Mail Bomber " unlocked " No Registration Required
Retails for $300 and up "This Bulk e-mail software will
** EXPLODE YOUR BUSINESS **
NO Tricks, NO Gimmicks, NO Changing Long Distance Carriers, NO Games
----FREE---------- FREE-------------- FREE--------------- FREE-----
.
+OK message deleted
+OK 1234 octets
Received: from mail.anything.com (123.123.123.123)
by mail.victim.net with SMTP; 1 Apr 2001 00:42:00 -0000
Date: Sat, 1 Apr 2001 00:23:00 -0000
From: anyone@anything.com
To: victim@victim.net
Subject: anything
bloerps
After the bloerps, POP3Lite will send a dot, indicating the end of the
message. However, the client already interpreted the first, unescaped dot
as end of message. For the client, the second, real EOM sequence will mark
the end of the injected message. The client and server communication will
continue, but the client will always be one message "behind". The last
message on the server will get lost, and instead there will be the
injected message in the client side. The remnant of the trojaned message
looks just like ordinary spam now, and will surely be deleted. The exact
client behavior might vary with clients, but this should work in one form
or another with any RFC compliant client.
In the unlikely case of POP3 clients with some kind of input validation
problem in the server response handling, it would of course be possible to
exploit them through (possibly anonymous) email, too.
Solution:
<mailto:algernon@debian.org> Gergely Nagy, maintainer of POP3Lite, has
immediately fixed the problem upon notification, and released the fixed
POP3Lite 0.2.4 on August 23rd. Latest source and binary distributions are
available from:
<ftp://pop3lite.sourceforge.net/pub/pop3lite/>
ftp://pop3lite.sourceforge.net/pub/pop3lite/
ADDITIONAL INFORMATION
The information has been provided by <mailto:daniel@roe.ch> Daniel
Roethlisberger.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] WinPcap, the Free Packet Capture Architecture for Windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
