COMMAND

    Imail

SYSTEMS AFFECTED

    Ipswitch Imail 6.00 2-1

PROBLEM

    The following is a simple DoS found by eEye Digital Security while
    working  on  Retina's  CHAM  (Common  Hacking Attack Methods) HTTP
    auditing  module.   There  exists  a  remote  Denial of Service in
    Ipswitch's Imail web services in IMail 6.0.  The problem arises in
    incorrect handling of HTTP  1.1 Host header portions  of requests.
    By using a long  Host:  header, you  can cause a single  thread to
    crash.  When this thread crashes, it does not free it's resources,
    allowing an attacker to repeat this process to use massive amounts
    of memory on the server.

    The problem is in the Host: processing.  Sending anywhere over 500
    bytes  will  cause  the  thread  to  overwrite  it's Base pointer,
    killing operations on  that thread.   Resources are not  freed for
    the thread, however, so this can cause the attacked server to  use
    massive amounts of memory.  After a while, this program will cause
    serious problems  for the  server.   Some of  the problems we have
    experienced  are:   systems  stopped  responding  to mouse clicks,
    systems completely freezing etc...

    The attack:

        GET / HTTP/1.1
        Host: AAAAAAAA(x500)

    eEye  created  a  sample  attack  program  that  can quickly cause
    massive amounts of memory to be used by the attacked server.   The
    crashimail.exe example should be called as follows:

        crashimail hostname port numthreads

        - the hostname is the host you wish to attack
        - the  port  is  a  port  of  the  Imail's Web service,  Imail
          defaults to 8181 or 8383
        - numthreads  is   the  number  of   concurrent  threads    to
          attack with

    You can download this sample program and source from:

        http://www.eeye.com/html/advisories/threadcrashimail.zip

SOLUTION

    A fix for this can be found at:

        http://www.ipswitch.com/support/patches-upgrades.html#IMail