[Tpop3d-devel] Potential Bug/Security issue in tpop3d-1.5.4

[Eric Noack]

Hi folks.

I have been running into segfaults with tpop3d after massive brute  
force password guessing attacks on a production system,
resulting in a denial of service scenario.

The version running was tpop3d-1.5.4, compiled and installed via the  
gentoo portage system on a 64bit linux server
(compiled with gcc -march=athlon64) - running with tls/ssl enabled and  
mysql based mail authentication

The system had been running stable for over 3 years (with different  
versions of tpop3d),
butnow  I got 3 segfaults within 2 days,  all of them following  
massive brute force password guessing attempts.

example...

Jun 28 14:21:26 myhost tpop3d[17690]: connections_post_select: client  
[17][IP_of_attacker]/myhost.com: disconnected; 33/113 bytes read/written
Jun 28 14:21:27 myhost tpop3d[17690]: ioabs_tcp_post_select: client  
[16][IP_of_attacker]/myhost.com: connection closed by peer
Jun 28 14:21:27 myhost tpop3d[17690]: connections_post_select: client  
[16][IP_of_attacker]/myhost.com: disconnected; 34/113 bytes read/written
Jun 28 14:21:27 myhost tpop3d[17690]: listeners_post_select: client  
[16][IP_of_attacker]/myhost.com: connected to local address [MYIIP]:110
Jun 28 14:21:27 myhost tpop3d[17690]: connections_post_select: client  
[11][IP_of_attacker]/myhost.com: disconnected; 33/124 bytes read/written
Jun 28 14:21:27 myhost tpop3d[17690]: connection_do: client `[21] 
[IP_of_attacker]/myhost.com': username `hector': 1 authentication  
failures
Jun 28 14:21:27 myhost tpop3d[17690]: listeners_post_select: client  
[11][IP_of_attacker]/myhost.com: connected to local address [MYIIP]:110
Jun 28 14:21:27 myhost tpop3d[17690]: listeners_post_select: client  
[17][IP_of_attacker]/myhost.com: connected to local address [MYIIP]:110
Jun 28 14:21:28 myhost tpop3d[17690]: connection_do: client `[16] 
[IP_of_attacker]/myhost.com': username `home': 1 authentication failures
Jun 28 14:21:28 myhost tpop3d[17690]: connections_post_select: client  
[15][IP_of_attacker]/myhost.com: disconnected; 32/124 bytes read/written
Jun 28 14:21:28 myhost tpop3d[17690]: quit: signal 11 post_fork = 0


Now unfortunately because the system in question  is a production  
machine I didn't have the chance to do debugging / produce any  
backtraces.
(I was getting angry mails I couldn't receive - and phonecalls of  
users - already)

As a quick fix solution I switched the pop3 daemon to dovecot instead.  
(*ducks in shame*)

Nevertheless I thought I should let someone know

Best case:
	This was caused by a fluke with this specific architecture and my  
specific library constellation and everything in tpop3d itself is fine.
Worst case:
	There is a remote code execution exploit being used in the wild that  
in my case 'only' caused a 'segfault'
        because it depended on 32bit vector whilest attacking a 64bit version

Either way - a segfault in result to malicious activity looks  
suspicious and should be investigated by someone who has the expertise  
and time.

regards

Eric

aka

Corvus Corax

PS: If you need specific additional information to reproduce the  
problem, let me know what you need.