[Dovecot] Possible CPU Denial-Of-Service attack to dovecot IMAP.

Kostik koc at fax.ru
Sat Feb 27 11:33:09 EET 2010 

Hi All!

Some time ago, we received e-mail message, which makes our server CPU
exhaustion attack.
---
PID   USER      PR  NI  VIRT  RES  SHR S %CPU %MEM  TIME+    COMMAND
26319 5751796   20   0  2868 1868 1484 R 99.2  0.1  22:04.77 imap
---
It happens when I try open mail folder with this buggy message.

Our setup:
-- slackware 11.0, x86_32
-- linux 2.6.31.6
-- dovecot 1.2.10
-- mailbox(not maildir) via NFS storage.

Details:
1. Buggy message 1219733 byte size. And most of this size is mail header.

2. Mail header mostly consists of a repeating block:
---
[...]

MIME-Version: 1.0
Content-type: text/plain; charset=windows-1251
Content-transfer-encoding: 8bit
Date:   Thu, 25 Feb 2010 11:13:03 +0300
X-Priority: 0
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Sender: torrents at rutracker.org
Reply-to: torrents at rutracker.org
From:   torrents at rutracker.org
Message-ID: <4052c9f301d0956f3fa1e855cca02d39 at rutracker.org>

[...]

MIME-Version: 1.0
Content-type: text/plain; charset=windows-1251
Content-transfer-encoding: 8bit
Date:   Thu, 25 Feb 2010 11:13:02 +0300
X-Priority: 0
X-MSMail-Priority: Normal
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Sender: torrents at rutracker.org
Reply-to: torrents at rutracker.org
From:   torrents at rutracker.org
Message-ID: <6162ed30245a86b8cb26e4a0bf4de562 at rutracker.org>

[...]
---

3.strace show, that dovecot many-many time do:
---
pread64(6, "-Sender: torrents at rutracker.org\n"..., 4038, 814845) = 4038
pread64(6, "s at rutracker.org\nMessage-ID: <461"..., 4083, 818883) = 4083
pread64(6, "arset=windows-1251\nContent-trans"..., 4068, 822966) = 4068
pread64(6, "ail-Priority: Normal\nX-Mailer: M"..., 4091, 827034) = 4091
---

4. and gdb in that time:
---
(gdb) where
#0  0xb7604060 in memset () from /lib/tls/libc.so.6
#1  0x080d7483 in buffer_write (_buf=0x8131db0, pos=135470571,
data=0x8132d52, data_size=2) at buffer.c:54
#2  0x080d74fb in buffer_append (buf=0x0, data=0x8132d52, data_size=2) at
buffer.c:168
#3  0x080cebfe in read_header (mstream=0x8131be8) at
istream-header-filter.c:214
#4  0x080cef07 in i_stream_header_filter_read (stream=0x8131be8) at
istream-header-filter.c:301
#5  0x080cef79 in parse_header (mstream=0x8131be8) at
istream-header-filter.c:323
#6  0x080cefce in i_stream_header_filter_seek (stream=0x8131be8,
v_offset=128810, mark=false) at istream-header-filter.c:337
#7  0x080ddfdb in i_stream_seek (stream=0x8131c10, v_offset=128810) at
istream.c:198
#8  0x0809c99c in i_stream_mail_stats_read_mail_stats (stream=0x812c460) at
istream-mail-stats.c:43
#9  0x080ddbfc in i_stream_read (stream=0x812c488) at istream.c:85
#10 0x080de389 in i_stream_read_data (stream=0x812c488, data_r=0xbf9d82e4,
size_r=0xbf9d82e8, threshold=2) at istream.c:366
#11 0x080d400b in message_get_header_size (input=0x812c488, hdr=0x81298fc,
has_nuls=0x0) at message-size.c:56
#12 0x0808f976 in index_mail_init_stream (mail=0x81297d0,
hdr_size=0xbf9d83b0, body_size=0xbf9d8390, stream_r=0x0) at index-mail.c:852
#13 0x080838a1 in mbox_mail_get_stream (_mail=0x81297d0,
hdr_size=0xbf9d83b0, body_size=0xbf9d8390, stream_r=0xbf9d838c) at
mbox-mail.c:322
#14 0x0808e9ac in index_mail_get_virtual_size (_mail=0x81297d0,
size_r=0xbf9d8400) at index-mail.c:397
#15 0x080685a3 in fetch_rfc822_size (ctx=0x0, mail=0x81297d0, context=0x0)
at imap-fetch-body.c:894
#16 0x0806607c in imap_fetch_more (ctx=0x811e030) at imap-fetch.c:472
#17 0x0805e370 in cmd_fetch (cmd=0x811dec8) at cmd-fetch.c:228
#18 0x0806292b in cmd_uid (cmd=0x811dec8) at cmd-uid.c:27
#19 0x08063726 in client_command_input (cmd=0x811dec8) at client.c:612
#20 0x080636d1 in client_command_input (cmd=0x811dec8) at client.c:661
#21 0x080638b3 in client_handle_input (client=0x811cc08) at client.c:701
#22 0x080642d6 in client_input (client=0x811cc08) at client.c:753
#23 0x080e1bf1 in io_loop_handler_run (ioloop=0x0) at ioloop-epoll.c:208
#24 0x080e0f79 in io_loop_run (ioloop=0x8119ab0) at ioloop.c:335
#25 0x0806c21a in main (argc=3, argv=0xbf9d86b4, envp=0xbf9d86c4) at main.c:327
---

5. I can provide download link to this buggy mailbox file if needed.


=koc

More information about the dovecot mailing list