[VulnWatch] Remote DoS in GFI MailEssentials due to a bug in Microsoft HTML parser

From: Peter Kruse (kruse_at_krusesecurity.dk)
Date: 01/03/05

  • Next message: Jakob Balle: "[VulnWatch] Secunia Research: Mozilla / Mozilla Firefox Download Dialog Source Spoofing"
    To: "VulnWatch" <vulnwatch@vulnwatch.org>
    Date: Mon, 3 Jan 2005 10:06:19 +0100

    CSIS Security Advisory: [CSIS2005-1)

    Remote DoS in GFI MailEssentials due to a bug in Microsoft HTML parser

    Date Published: 3rd of January 2005

    Product description:
    GFI MailEssentials for Exchange/SMTP offers spam protection and email
    management at server level. GFI MailEssentials offers a fast set-up and a
    high spam detection rate using Bayesian analysis and other methods - no
    configuration required, very low false positives through its automatic
    whitelist, and the ability to automatically adapt to your email environment
    to constantly tune and improve spam detection. GFI MailEssentials also adds
    email management tools to your mail server: disclaimers, mail archiving and
    monitoring, Internet mail reporting, list server, server-based auto replies
    and POP3 downloading.

    Specially crafted HTML emails could cause GFI MailSecurity and GFI
    MailEssentials to stop processing, with emails getting stuck in the IIS
    queue or Exchange pre-submission queues. There will be no error indications
    other than MailQueue stops processing. Restarting the server or services
    will not help. The flaw will occur when MailEssentioals processes the
    strings in an email subject, body or in an attached text file. Exploitation
    is trivial.

    Vulnerability Class:
    This flaw affects all tested versions of GFI MailEssentials and will cause a
    remote Denial of Service.
    Not tested are other programs making use of Microsoft HTML parser.

    CSIS has discovered a flaw in GFI MailEssentials 9 and 10.x and GFI
    MailSecurity 8.x where a specially crafted HTML email causes the products to
    stop processing, resulting in emails getting stuck in the IIS/Exchange

    The problem lies in a Microsoft HTML library that is made use of by a GFI
    library, common to GFI MailSecurity and GFI MailEssentials.

    A malicious user can exploit this flaw and craft an e-mail containing a
    specially crafted javascript. When the e-mail containing the javascript is
    received by MailEssentials, it will be processed resulting in a DoS. The
    mail will reside in the queues until it's manually removed. If the server is
    rebooted without removing the affected mail from the queues, the same mail
    gets processed again and again and a new DoS will occur. MailEssentials will
    not process any other in- or outbound e-mails until this mail is completely
    removed from the bad mail queue. This is a ugly scenario since you'll end up
    looking for a needle in a haystack.

    CSIS would like to underline that this flaw is really a result of a bug in
    Microsoft HTML parser. As such, this problem is not directly related to GFI.
    We suspect other products are vulnerable as well.

    Medium-High: This is a remote DoS. Leaving no trace, no warnings and no
    indication of which e-mail causing the problem.

    A fix has been released:

    GFI MailEssentials 10.x -
    GFI MailEssentials 9 - ftp://ftp.gfi.com/patches/me9_PATCH_20041220_01.zip
    GFI MailSecurity 8.x - ftp://ftp.gfi.com/patches/MSEC8_PATCH_20041220_01.zip

    It's strongly recommended to apply these patches as soon as possible. Also
    it would be wise to set up an alert mechanism monitoring number of mails in
    queue. CSIS also recommend using the GFI monitor function to see if mails
    gets processed at regular intervals.

    Affected Products:
    GFI MailSecurity 8.x
    GFI MailEssentials 9
    GFI MailEssentials 10.x

    Running on Microsoft Windows 2000 Server with all relevant patches

    CSIS would like to thank GFI for a quick and professional response. It took
    only 5 days for GFI to troubleshoot and fix this issue!

    The Common Vulnerabilities and Exposures (CVE) project has assigned the name
    CAN-2004-1312 to this issue. This is a candidate for inclusion in the CVE
    list (http://cve.mitre.org), which standardizes names for security problems.

    For more information about the patches see GFI KB article:

    This advisory can also be found at our website:

    Med venlig hilsen // Kind regards
    Peter Kruse,                        Voice: (+45) 88136030
    Security- and virusanalyst,         Cel    (+45) 28490532
    CSIS ApS                            Fax    (+45) 28176030
    http://www.csis.dk                  E-mail pkr@csis.dk
    PGP fingerprint
    79FD 0648 158E 6B9E 236F  CFDA 7C58 64D6 BE83 FA60
    Combined Services & Integrated Solutions
    GevnÝ Gade 11a
    4660 Store Heddinge, Denmark
    This is a PRIVATE message. If you are not the intended recipient, please
    delete without copying and kindly advise us by e-mail of the mistake in
    delivery. NOTE: Regardless of content, this e-mail shall not operate to
    bind CSIS to any order or other contract unless pursuant to explicit
    written agreement or government initiative expressly permitting the use of
    e-mail for such purpose.

  • Next message: Jakob Balle: "[VulnWatch] Secunia Research: Mozilla / Mozilla Firefox Download Dialog Source Spoofing"

    Relevant Pages