Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201509270953.59256@pali>
Date: Sun, 27 Sep 2015 09:53:59 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Subject: DoS attack through Email-Address perl module v1.907 (CVE id request)

Hello!

I discovered possible DoS attack in any software which uses 
Email::Address perl module for parsing string input to list of email 
addresses.

By default Email::Address module, version v1.907 (and all before) try to 
understand nestable comments in input string with deep level 2.

Parsing nestable comments is for specially prepared inputs too slow and 
can cause high CPU load, freezing application and Denial of Service.

Because input string for Email::Address module comes from external 
source (e.g. from email sent by attacker) it is security problem all 
software application which parse email messages by Email::Address perl 
module. For example: RT: Request Tracker, CiderWebmail, ...

In new version v1.908 of Email::Address module, released at Sep 19 was 
set default value of nestable comments to deep level 1. This is not 
proper fix, just workaround for pathological inputs with nestable 
comments. Probably nobody has normal usage for inserting nested comments 
into email address in To:/Cc: headers...

https://metacpan.org/release/RJBS/Email-Address-1.908

https://github.com/rjbs/Email-Address/commit/3056b7d

Can you assign CVE id for this problem?

In attachment I'm sending example perl script which uses Email::Address 
module for parsing From header and example input.

On my machine that script runs 5 seconds and it parse just four 
addresses. Imagine that attacker send email with Cc: header with 10 
times more addresses and Email::Address module effectively DoS server 
where is that parser running...

-- 
Pali Rohár
pali.rohar@...il.com

View attachment "address-line" of type "text/plain" (324 bytes)

Download attachment "address-line-test.pl" of type "application/x-perl" (139 bytes)

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.