[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Imail Web Service Remote DoS Attack v.2

Title: Imail Web Service Remote DoS Attack v.2
Released by: eEye
Date: 18th August 2000
Printable version: Click here
Imail Web Service Remote DoS Attack v.2

Release Date:

August 17, 2000

Systems Affected:

Ipswitch Imail 6.00 2-1


The following is a simple DoS we found while working on Retina's CHAM(Common Hacking Attack Methods) HTTP auditing module which should be released within the next two weeks within the new Retina 2.5.

There exists a remote Denial of Service in Ipswitch's Imail web services in IMail 6.0.  The problem arises in incorrect handling of HTTP 1.1 Host header portions of requests.  By using a long Host: header, you can cause a single thread to crash. When this thread crashes, it does not free it's resources, allowing an attacker to repeat this process to use massive amounts of memory

on the server.


The problem is in the Host: processing.  Sending anywhere over 500 bytes will cause the thread to overwrite it's Base pointer, killing operations on that thread.  Resources are not freed for the thread, however, so this can cause the attacked server to use massive amounts of memory.  After a while, this program will cause serious problems for the server.  Some of the problems we have experienced are: systems stopped responding to mouse

clicks, systems completely freezing etc...

The attack:

 GET / HTTP/1.1

 Host: AAAAAAAA(x500)

The Attack Program:

We have created a sample attack program that can quickly cause massive amounts of memory to be used by the attacked server.

The crashimail.exe example should be called as follows:

 crashimail hostname port numthreads

 The hostname is the host you wish to attack

 the port is a port of the Imail's Web service, Imail defaults to 8181 or 8383  numthreads is the number of concurrent threads to attack with

You can download this sample program and source from:


Vendor Status:

We would like to thank IPSwitch (www.ipswitch.com) for the way they handled this vulnerability in a timely fashion.

A fix for this can be found at, http://www.ipswitch.com/support/patches-upgrades.html#IMail.

For more information about Retina and its CHAM (Common Hacking Attack Methods) technology, visit http://www.eeye.com/retina

Copyright (c) 1998-2000 eEye Digital Security

Permission is hereby granted for the redistribution of this alert

electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with

the use or spread of this information. Any use of this information is at the user's own risk.


Please send suggestions, updates, and comments to:

eEye Digital Security



(C) 1999-2000 All rights reserved.