NetWin dMailWeb Denial of Service

[9cw4 () QLINK QUEENSU CA (Chris Wolfe)]

Product:      NetWin dMailWeb
Type:         Denial of Service
Severity:     Moderate

Versions:     <= 2.6j: potential buffer overflow in pophost (not fixed)
              <= 2.6i: pophost DOS (fixed by 2.6j)
              <= 2.6g: username DOS (fixed by 2.6i)

Note: NetWin cwMail is also vulnerable to the same attacks,
      and appears to be using exactly the same version numbers.

--- Overview

dMailWeb is a CGI application used to provide web-based e-mail in
collaboration with a standard POP server. Authentication is performed by
attempting to log into the requested POP server with the supplied username
password. An optional feature allows connection to POP server other than
the default (or to a limited list of POP servers) - this server can be
specified on the login page in the pophost field.

Sending long values as the username (>= 240 chars, 239 works normally) will
cause the script to freeze (just over a minute on the machines tested). The
pophost field has a similar problem, though it requires more characters to
trigger (tested 512).

An extremely long pophost (tested 1024) causes the script to freeze and
then crash. I am not equipped to test for buffer overflow conditions, but
suspect one is the cause of the crash. (2.6j removed the delay but still
crashes).

The DOS was tested using a Perl script from a Linux P200. After
approximately 70 requests in 45 seconds the target machine's networking
services were completely unavailable. The script is trivial enough that I
am not going to tidy it up to publish here.

--- Tested target:

Linux 2.2.14 (Slackware 7), Pentium 200, 96 Mb RAM
Apache 1.3.12, dMail 2.7r (trial).
dMailWeb 2.5e, 2.6g, 2.6i, 2.6j (all trial versions)

NetWin dMailWeb Demo server.

--- Exploit

The freezes were tested using simple JavaScript URLs to enter long values
in the fields. After running one of the URLs simple enter garbage in the
remainder of the fields and press login.

- username (>= 240 A's, all one line)

javascript:document.loginform.user.value="AA...AA";
alert(document.loginform.user.value);

- pophost (tested 512 A's, all one line)

javascript:document.loginform.pophost.value="AA...AA";
alert(document.loginform.pophost.value);

--- Workaround

Use the force_primary ini directive to prevent the pophost field from being
processed. Ensure your script user has processor limits set to prevent the
entire server being disabled.

See: http://www.netwinsite.com/dmailweb/dmailweb.htm

--- Solution

New versions of dMailWeb (and cwMail) can be downloaded from:

ftp://ftp.netwinsite.com/dmailweb/

As of Jun 21 the partially fixed versions are still in Beta testing. They
can be downloaded from:

ftp://ftp.netwinsite.com/dmailweb/beta/

--- History

A notification was sent to NetWin Jun 5, 2000 regarding the username DOS.

An update was sent to NetWin Jun 6, 2000 adding the pophost DOS and
potential overflow.

---

Copyright 2000, Christopher Wolfe.

Permission is granted to reproduce this advisory in a complete and
unmodified form. This advisory is provided with no warranties of any kind,
express or implied. In no event the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory or the information contained therein.

Queen's University is in no way related to this message, the information
contained therein, on the actions taken in it's gathering - it is simply
the e-mail address with which I am subscribed to BugTraq.