[BUG] imap-login segfault when running nmap -sV

Florian Pritz bluewind at xinu.at
Tue Apr 21 09:24:55 UTC 2015 

Hi,

I've noticed that nmap crashes my imap-login (also pop3-login) and
narrowed it down to `nmap -sV -p 993 $host`. I've noticed that if I
remove "ssl_protocols = !SSLv2 !SSLv3" from my config or enable SSLv3
rather than disabling it the segfault disappears.

I'm running on Arch Linux with dovecot 2.2.16-1 and openssl 1.0.2.a-1.
I've also attached a network capture, but since it's SSL this probably
won't help all that much.

I hope this is enough information to reproduce the issue. If necessary I
can recompile dovecot with debug symbols for a better backtrace.

Thanks,
Florian

dovecot.conf
https://paste.xinu.at/PUsJ/

syslog:
> Apr 21 10:52:16 karif dovecot[7849]: imap-login: Disconnected (no auth attempts in 6 secs): user=<>, rip=81.217.47.122, lip=78.46.56.141, TLS handshaking: SSL_accept() failed: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
> Apr 21 10:52:16 karif dovecot[7849]: imap-login: Fatal: master: service(imap-login): child 7879 killed with signal 11 (core not dumped - add -D parameter to service imap-login { executable } [last ip=81.217.47.122] 
> Apr 21 10:52:16 karif kernel: imap-login[7879] segfault at f0 ip 00007fb2b8b1360b sp 00007fff926ffd50 error 4 in libssl.so.1.0.0[7fb2b8af3000+6f000] 


backtrace:
> #0  0x00007f120100260b in ssl3_get_client_hello () from /usr/lib/libssl.so.1.0.0
> #1  0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0
> #2  0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0
> #3  0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #4  0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #5  0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0
> #6  0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #7  0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #8  0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #9  0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0
> #10 0x00007f120168d62c in io_loop_call_io () from /usr/lib/dovecot/libdovecot.so.0
> #11 0x00007f120168e665 in io_loop_handler_run_internal () from /usr/lib/dovecot/libdovecot.so.0
> #12 0x00007f120168d699 in io_loop_handler_run () from /usr/lib/dovecot/libdovecot.so.0
> #13 0x00007f120168d718 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0
> #14 0x00007f120162cb23 in master_service_run () from /usr/lib/dovecot/libdovecot.so.0
> #15 0x00007f1201903788 in login_binary_run () from /usr/lib/dovecot/libdovecot-login.so.0
> #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6
> #17 0x0000000000402909 in _start ()

nmap output:
>> nmap -sV --packet-trace -p 993 karif
> 
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-21 10:52 CEST
> CONN (0.0426s) TCP localhost > 78.46.56.141:80 => Operation now in progress
> CONN (0.0427s) TCP localhost > 78.46.56.141:443 => Operation now in progress
> NSOCK INFO [0.0650s] nsi_new2(): nsi_new (IOD #1)
> NSOCK INFO [0.0650s] nsock_connect_udp(): UDP connection requested to 192.168.4.1:53 (IOD #1) EID 8
> NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] (timeout: -1ms) EID 18
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.4.1:53]
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.4.1:53]
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.4.1:53] (79 bytes): .............141.56.46.78.in-addr.arpa..................karif.server-speed.net.
> NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] (timeout: -1ms) EID 34
> NSOCK INFO [0.0650s] nsi_delete(): nsi_delete (IOD #1)
> NSOCK INFO [0.0650s] msevent_cancel(): msevent_cancel on event #34 (type READ)
> CONN (0.0656s) TCP localhost > 78.46.56.141:993 => Operation now in progress
> NSOCK INFO [0.1320s] nsi_new2(): nsi_new (IOD #1)
> NSOCK INFO [0.1330s] nsock_connect_tcp(): TCP connection requested to 78.46.56.141:993 (IOD #1) EID 8
> NSOCK INFO [0.1550s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [78.46.56.141:993]
> Service scan sending probe NULL to 78.46.56.141:993 (tcp)
> NSOCK INFO [0.1550s] nsock_read(): Read request from IOD #1 [78.46.56.141:993] (timeout: 6000ms) EID 18
> NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [78.46.56.141:993]
> Service scan sending probe GetRequest to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.1610s] nsock_read(): Read request from IOD #1 [78.46.56.141:993] (timeout: 5000ms) EID 34
> NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [78.46.56.141:993]
> NSOCK INFO [6.1840s] nsock_trace_handler_callback(): Callback: READ ERROR [Connection reset by peer (104)] for EID 34 [78.46.56.141:993]
> NSOCK INFO [6.1840s] nsi_delete(): nsi_delete (IOD #1)
> NSOCK INFO [6.1840s] nsi_new2(): nsi_new (IOD #2)
> NSOCK INFO [6.1840s] nsock_connect_tcp(): TCP connection requested to 78.46.56.141:993 (IOD #2) EID 40
> NSOCK INFO [6.2050s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [78.46.56.141:993]
> Service scan sending probe SSLSessionReq to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.2060s] nsock_read(): Read request from IOD #2 [78.46.56.141:993] (timeout: 5000ms) EID 58
> NSOCK INFO [6.2060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [78.46.56.141:993]
> NSOCK INFO [6.2280s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [78.46.56.141:993] (7 bytes): ......(
> Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 10443): 78.46.56.141:993 is ssl.  Version: |TLSv1|||
> NSOCK INFO [6.2280s] nsi_delete(): nsi_delete (IOD #2)
> NSOCK INFO [6.2280s] nsi_new2(): nsi_new (IOD #3)
> NSOCK INFO [6.2280s] nsock_connect_ssl(): SSL connection requested to 78.46.56.141:993/tcp (IOD #3) EID 65
> NSOCK INFO [6.3370s] nsock_trace_handler_callback(): Callback: SSL-CONNECT SUCCESS for EID 65 [78.46.56.141:993]
> Service scan sending probe NULL to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.3370s] nsock_read(): Read request from IOD #3 [78.46.56.141:993] (timeout: 6000ms) EID 74
> NSOCK INFO [6.3960s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 74 [78.46.56.141:993] (114 bytes)
> Service scan match (Probe NULL matched with NULL line 1312): 78.46.56.141:993 is SSL/imap.  Version: |Dovecot imapd|||
> NSOCK INFO [6.3960s] nsi_delete(): nsi_delete (IOD #3)
> Nmap scan report for karif (78.46.56.141)
> Host is up (0.023s latency).
> rDNS record for 78.46.56.141: karif.server-speed.net
> PORT    STATE SERVICE  VERSION
> 993/tcp open  ssl/imap Dovecot imapd
> 
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imap-login-crash.pcapng.gz
Type: application/gzip
Size: 7625 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150421/df9bc5e5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150421/df9bc5e5/attachment-0001.sig>

More information about the dovecot mailing list