[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tpop3d-devel] Potential Bug/Security issue in tpop3d-1.5.4
From: |
Eric Noack |
Subject: |
[Tpop3d-devel] Potential Bug/Security issue in tpop3d-1.5.4 |
Date: |
Thu, 3 Jul 2008 17:58:47 +1000 |
Hi folks.
I have been running into segfaults with tpop3d after massive brute
force password guessing attacks on a production system,
resulting in a denial of service scenario.
The version running was tpop3d-1.5.4, compiled and installed via the
gentoo portage system on a 64bit linux server
(compiled with gcc -march=athlon64) - running with tls/ssl enabled and
mysql based mail authentication
The system had been running stable for over 3 years (with different
versions of tpop3d),
butnow I got 3 segfaults within 2 days, all of them following
massive brute force password guessing attempts.
example...
Jun 28 14:21:26 myhost tpop3d[17690]: connections_post_select: client
[17][IP_of_attacker]/myhost.com: disconnected; 33/113 bytes read/written
Jun 28 14:21:27 myhost tpop3d[17690]: ioabs_tcp_post_select: client
[16][IP_of_attacker]/myhost.com: connection closed by peer
Jun 28 14:21:27 myhost tpop3d[17690]: connections_post_select: client
[16][IP_of_attacker]/myhost.com: disconnected; 34/113 bytes read/written
Jun 28 14:21:27 myhost tpop3d[17690]: listeners_post_select: client
[16][IP_of_attacker]/myhost.com: connected to local address [MYIIP]:110
Jun 28 14:21:27 myhost tpop3d[17690]: connections_post_select: client
[11][IP_of_attacker]/myhost.com: disconnected; 33/124 bytes read/written
Jun 28 14:21:27 myhost tpop3d[17690]: connection_do: client `[21]
[IP_of_attacker]/myhost.com': username `hector': 1 authentication
failures
Jun 28 14:21:27 myhost tpop3d[17690]: listeners_post_select: client
[11][IP_of_attacker]/myhost.com: connected to local address [MYIIP]:110
Jun 28 14:21:27 myhost tpop3d[17690]: listeners_post_select: client
[17][IP_of_attacker]/myhost.com: connected to local address [MYIIP]:110
Jun 28 14:21:28 myhost tpop3d[17690]: connection_do: client `[16]
[IP_of_attacker]/myhost.com': username `home': 1 authentication failures
Jun 28 14:21:28 myhost tpop3d[17690]: connections_post_select: client
[15][IP_of_attacker]/myhost.com: disconnected; 32/124 bytes read/written
Jun 28 14:21:28 myhost tpop3d[17690]: quit: signal 11 post_fork = 0
Now unfortunately because the system in question is a production
machine I didn't have the chance to do debugging / produce any
backtraces.
(I was getting angry mails I couldn't receive - and phonecalls of
users - already)
As a quick fix solution I switched the pop3 daemon to dovecot instead.
(*ducks in shame*)
Nevertheless I thought I should let someone know
Best case:
This was caused by a fluke with this specific architecture and my
specific library constellation and everything in tpop3d itself is fine.
Worst case:
There is a remote code execution exploit being used in the wild that
in my case 'only' caused a 'segfault'
because it depended on 32bit vector whilest attacking a 64bit version
Either way - a segfault in result to malicious activity looks
suspicious and should be investigated by someone who has the expertise
and time.
regards
Eric
aka
Corvus Corax
PS: If you need specific additional information to reproduce the
problem, let me know what you need.
- [Tpop3d-devel] Potential Bug/Security issue in tpop3d-1.5.4,
Eric Noack <=