||Home : Advisories : Imail Web Service Remote DoS Attack v.2|
||Imail Web Service Remote DoS Attack v.2
||18th August 2000
Imail Web Service Remote DoS Attack v.2
August 17, 2000
Ipswitch Imail 6.00 2-1
The following is a simple DoS we found while working on Retina's CHAM(Common Hacking Attack Methods) HTTP auditing module which should be released within the next two weeks within the new Retina 2.5.
There exists a remote Denial of Service in Ipswitch's Imail web services in IMail 6.0. The problem arises in incorrect handling of HTTP 1.1 Host header portions of requests. By using a long Host: header, you can cause a single thread to crash. When this thread crashes, it does not free it's resources, allowing an attacker to repeat this process to use massive amounts of memory
on the server.
The problem is in the Host: processing. Sending anywhere over 500 bytes will cause the thread to overwrite it's Base pointer, killing operations on that thread. Resources are not freed for the thread, however, so this can cause the attacked server to use massive amounts of memory. After a while, this program will cause serious problems for the server. Some of the problems we have experienced are: systems stopped responding to mouse
clicks, systems completely freezing etc...
GET / HTTP/1.1
The Attack Program:
We have created a sample attack program that can quickly cause massive amounts of memory to be used by the attacked server.
The crashimail.exe example should be called as follows:
crashimail hostname port numthreads
The hostname is the host you wish to attack
the port is a port of the Imail's Web service, Imail defaults to 8181 or 8383 numthreads is the number of concurrent threads to attack with
You can download this sample program and source from:
We would like to thank IPSwitch (www.ipswitch.com) for the way they handled this vulnerability in a timely fashion.
A fix for this can be found at, http://www.ipswitch.com/support/patches-upgrades.html#IMail.
For more information about Retina and its CHAM (Common Hacking Attack Methods) technology, visit http://www.eeye.com/retina
Copyright (c) 1998-2000 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security