Malicious header causing RoundCube to hang (load forever)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Malicious header causing RoundCube to hang (load forever)

Luescher Claude
Hello,

I have a strange header which causes Roundcube Webmail 1.2.0 to hang.
Could you please investigate why and fix this in the next version?
I have removed the ips and the domains from the message but it should
produce the same results and I can confirm it was not the body but the
header which caused the issue. I had to do bunch of traffic sniffing
between the rc<>dovecot until I figured out that this is the root cause.
If you drop this file into a user's Maildir/cur/ folder and go there
with RoundCube it should reproduce the same issue (as a body message it
will do nothing so safe to send it to the list):

cat ./1472824758.M248861P20044.server1\,S\=3027\:2\,S

-----START OF HEADER-----
Return-Path: <[hidden email]>
Delivered-To: [hidden email]
Received: from mail.company.com (localhost [x.x.x.x])
     by mail.company.com (Postfix) with ESMTP id E7D1026C11C
     for <[hidden email]>; Mon, 29 Aug 2016 08:27:45 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
mail.company.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=7.5
Received: from rfout02.hes.trendmicro.eu (rfout02.hes.trendmicro.eu
[x.x.x.x])
     by mail.company.com (Postfix) with ESMTPS id DC40C26C064
     for <[hidden email]>; Mon, 29 Aug 2016 08:27:45 +0200 (CEST)
Received: from x.x.x.x_hes.trendmicro.com (unknown [x.x.x.x])
     by rfout02.hes.trendmicro.eu (Postfix) with ESMTPS id BF456225F6D
     for <[hidden email]>; Mon, 29 Aug 2016 06:17:20 +0000 (UTC)
Received: from x.x.x.x_hes.trendmicro.com (unknown [x.x.x.x])
     by rout03.hes.trendmicro.eu (Postfix) with SMTP id 7A8177C0057
     for <[hidden email]>; Mon, 29 Aug 2016 06:17:20 +0000 (UTC)
Received: from mail.company2.org (unknown [x.x.x.x])
     by relay02.hes.trendmicro.eu (Postfix) with ESMTPS id 6BE33980047
     for <[hidden email]>; Mon, 29 Aug 2016 06:17:19 +0000 (UTC)
Received: from MAIL.company2.local ([::1]) by MAIL.company2.local
([::1]) with mapi id
  14.03.0301.000; Mon, 29 Aug 2016 08:17:18 +0200
 From: John Smith <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: TR: [SPAM]Concert "Bouquet musical" , mp3-Dateien a PDF-Dateie
mat
      Texter an Nouten
Thread-Topic: [SPAM]Concert "Bouquet musical" , mp3-Dateien a PDF-Dateie
mat
      Texter an Nouten
Thread-Index: AQHR9mbF9TuUo8df8kCTB9YEG142H6BfjSZQ
Date: Mon, 29 Aug 2016 06:17:18 +0000
Message-ID:
<[hidden email]>
References: <[hidden email]>
In-Reply-To: <[hidden email]>
Accept-Language: fr-FR, fr-LU, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [x.x.x.x]
Content-Type: multipart/alternative;
boundary="_000_E54FA90E30A67D49BCD6EA271055EC6957862C69MAILcompany2local_"
MIME-Version: 1.0
X-TMASE-Version: StarCloud-1.3-8.1.1054-22542.005
X-TMASE-Result: 10--10.160600-7.000000
X-TMASE-MatchedRID:
vXngJm2IhaXQ4MR9L2a0LZGdYYDOHOGR7gRQ1q/7uAqv2yd8VYUPyfYI
cXEHn262y6zo19bmLk75ssOgQEJhs7bc/wmz9cRm3BgOPjbqzrky5QwGsWguh+jBkiQTsogiyVI
KeeL/q1mr3oW6uMfKr0mlX2scVfeP7a7m7fE5C+HBtFDYGmaWKhrL4FDGAJ+Flvs2jSyutOTsoE
FnZAFTLNDbef4/mkgxFCOLNe0Jd9NZiostRfaYC7iMC5wdwKqddwX/SSKrKHgPGMG6AkHPPKBDB
389eXAYzAxLg4NeYKyURP9PtVdrmw5VocU4CFzq2x/FmlC/aoy08Z6Wwo67iOeU0qFv58B+zdlo
26al4KGW00p9LWWxD/jDlA9c5qydUuluVE/y9/QOsNNBnlgRWn0tCKdnhB58r10pknZXGJr5kvm
j69FXvEl4W8WVUOR/b2CjU/es000UqDlyn7IGcY0BhmZnJsxhl52+VyjGsawHH6f9vryVO4HT8S
     JnXu7uvYvbQsuiBK0rMM8TiN/HHMjCIMeZLD0ymgnARUAtoS4=
X-TM-AS-URLRatingInfo:
81-38-=?us-ascii?B?aHR0cHM6Ly8xZHJ2Lm1zL2YvcyFBazJ0NU
     FtZmJaWTVpMVp4azdPT2MtSW1YdVox?=
X-TM-AS-URLRatingAct: 60-
X-TM-Deliver-Signature: DE62BF0E055B7C180A70FEE36BA754C7
X-Virus-Scanned: clamav-milter 0.96.5 at mail.company.com
X-Virus-Status: Clean
-----END OF HEADER-----

Thx
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Malicious header causing RoundCube to hang (load forever)

A.L.E.C
On 07.09.2016 10:38, Luescher Claude wrote:
> I have a strange header which causes Roundcube Webmail 1.2.0 to hang.
> Could you please investigate why and fix this in the next version?
> I have removed the ips and the domains from the message but it should
> produce the same results and I can confirm it was not the body but the
> header which caused the issue. I had to do bunch of traffic sniffing
> between the rc<>dovecot until I figured out that this is the root cause.

I'm unable to reproduce.

Disable all plugins, enable imap_debug in Roundcube. Maybe this will
give you some hints. What exactly "it hangs" means? Maybe dovecot hangs,
not Roundcube? Any errors in log?

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer         [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Malicious header causing RoundCube to hang (load forever)

Luescher Claude
Hello,

Well I can easily reproduce that error any time even using the censored
out header file I have sent you. Just copy pasting that message into a
new file like

1472824758.M248861P20044.server1\,S\=3063\:2\,S

and going there in roundcube.

https://s10.postimg.org/50p3nrbl5/rchangs.png

I am certain it is a roundcube issue, it is like rc would be expecting
some data from the server and it is keep bashing the imapproxy or
dovecot for it (almost like DOS).

Enabling the imap log was a good idea. I did not know about this just
$config['debug_level'] = 8; which did not help.

So I attaching the first 1k line of the log, it grow to 1.5MB in seconds
but it does the same thing over and over.


On 2016-09-07 11:11, A.L.E.C wrote:

> On 07.09.2016 10:38, Luescher Claude wrote:
>> I have a strange header which causes Roundcube Webmail 1.2.0 to hang.
>> Could you please investigate why and fix this in the next version?
>> I have removed the ips and the domains from the message but it should
>> produce the same results and I can confirm it was not the body but the
>> header which caused the issue. I had to do bunch of traffic sniffing
>> between the rc<>dovecot until I figured out that this is the root
>> cause.
>
> I'm unable to reproduce.
>
> Disable all plugins, enable imap_debug in Roundcube. Maybe this will
> give you some hints. What exactly "it hangs" means? Maybe dovecot
> hangs,
> not Roundcube? Any errors in log?

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

imap.txt (128K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Malicious header causing RoundCube to hang (load forever)

A.L.E.C
On 09/07/2016 05:07 PM, Luescher Claude wrote:
> [07-Sep-2016 16:58:48 +0200]: <06631i17> [0B8F] C: A0009 UID MOVE 5 Spam
> [07-Sep-2016 16:58:48 +0200]: <06631i17> [0B8F] S: A0009 NO [CANNOT] Failed to create spool file

Something's trying to move the message to spam and it fails. So, the bug
is in imap as you see above, but I think you're using some plugin,
because Roundcube does not move messages to to Spam when accessing them.
So, this might be caused by some plugin.

I also think that maybe you hit another issue. Is your session_lifetime
setting a very big value? Set it to something sensible, like 60.

Use debug_level=1.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer         [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Loading...