Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Sep 2015 09:53:59 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Subject: DoS attack through Email-Address perl module v1.907 (CVE id request)

Hello!

I discovered possible DoS attack in any software which uses 
Email::Address perl module for parsing string input to list of email 
addresses.

By default Email::Address module, version v1.907 (and all before) try to 
understand nestable comments in input string with deep level 2.

Parsing nestable comments is for specially prepared inputs too slow and 
can cause high CPU load, freezing application and Denial of Service.

Because input string for Email::Address module comes from external 
source (e.g. from email sent by attacker) it is security problem all 
software application which parse email messages by Email::Address perl 
module. For example: RT: Request Tracker, CiderWebmail, ...

In new version v1.908 of Email::Address module, released at Sep 19 was 
set default value of nestable comments to deep level 1. This is not 
proper fix, just workaround for pathological inputs with nestable 
comments. Probably nobody has normal usage for inserting nested comments 
into email address in To:/Cc: headers...

https://metacpan.org/release/RJBS/Email-Address-1.908

https://github.com/rjbs/Email-Address/commit/3056b7d

Can you assign CVE id for this problem?

In attachment I'm sending example perl script which uses Email::Address 
module for parsing From header and example input.

On my machine that script runs 5 seconds and it parse just four 
addresses. Imagine that attacker send email with Cc: header with 10 
times more addresses and Email::Address module effectively DoS server 
where is that parser running...

-- 
Pali Rohár
pali.rohar@...il.com

\(¯¯`·.¥«P®ÎÑç€ØfTh€ÐÅ®K»¥.·`¯¯\) <email@...mple.com>, "(> \" \" <)                              ( ='o'= )                              (\")___(\")  sWeEtAnGeLtHePrInCeSsOfThEsKy" <email2@...mple.com>, "(i)cRiStIaN(i)" <email3@...mple.com>, "(S)MaNu_vuOLeAmMazZaReNimOe(*)MiAo(@)" <email4@...mple.com>

[ CONTENT OF TYPE application/x-perl SKIPPED ]

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ