[Gross] Space Character in Mail From Crashing Gross

Jeff Chan jff.chan at gmail.com
Thu Apr 24 23:09:43 EEST 2008 

I think I found the bug with my rusty C programming skill. Try this:

gclient  sjsms '%20S' recipient 127.0.0.1 helo

It will either cause strange "s=" entries to be recorded in the log on
my Sun box or just crashes a Linux box.

Seems that the %s that got passed in interfered with the normal format
string processing with vnsprintf, that expects a further string value
to get passed. Of course that didn't happen.

The %20 is a hex encode of the space character. Spammer sends MAIL
FROM: <spam"mer at dom SIZE=XXX>, MS thinks the envelop address is
spam"mer at dom SIZE=XXX>, and passes spam"mer at dom%20SIZE=XXX> to grossd.
Actually a simple adress like %s at dom is suffice to crash grossd,
because the % character is not encoded by MS before sending to grossd
for some reasons.

Besides the envelop sender field, It also seems to affects the
ricipient and helo field as well. It may also affect how tuples are
entered into the bloom filter since grossd just takes what MS sends as
is.

Below are gdb stack trace that I think will help fixing the bug. For
the meantime, I am working on script that auto restarts grossd when it
dies.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1290261584 (LWP 21965)]
0x00596eb8 in wcslen () from /lib/tls/libc.so.6
(gdb) where
#0  0x00596eb8 in wcslen () from /lib/tls/libc.so.6
#1  0x00597f14 in wcsrtombs () from /lib/tls/libc.so.6
#2  0x005655ec in vfprintf () from /lib/tls/libc.so.6
#3  0x005829d6 in vsnprintf () from /lib/tls/libc.so.6
#4  0x0804b977 in logstr (level=6615028,
    fmt=0xb3181710 "a=greylist d=0 w=0 c=127.0.0.1 s=%20S r=r h=helo")
    at srvutils.c:50
#5  0x0804d416 in querylogwrite (q=0x81ae980) at worker.c:677
#6  0x0804d4c1 in finalize (status=0x81ae978) at worker.c:602
#7  0x08053baa in sjsms_connection (info=0x81adfd0, thread_ctx=0xb3182410,
    edict=0x81ae728) at worker_sjsms.c:270
#8  0x0805252e in thread_pool (arg=0x81ae590) at thread_pool.c:191
#9  0x00760371 in start_thread () from /lib/tls/libpthread.so.0
#10 0x005efffe in clone () from /lib/tls/libc.so.6

Jeff

On 4/24/08, Jesse Thompson <jesse.thompson at doit.wisc.edu> wrote:
> Oh, sorry, I didn't read your message fully, and assumed you were
> talking about spaces, not quotes.
>
> It seems odd the gross would care about unbalanced quotes.  Are you sure
> it's not crashing because of the space?
>
> Jesse
>
>
> Jeff Chan wrote:
> > Thanks Jesse. Your collection is great - but from a quick glance, it
> > doesn't seem to match a double quote occurring only once.
> >
> > I am currently testing something like this:
> >   TCP|*|*|*|*|SMTP*|*|*|*"*"*"*|* $N$D30|Bad$ envelop$ from$ address
> >   TCP|*|*|*|*|SMTP*|*|*|*"*"*|*  $Y
> >   TCP|*|*|*|*|SMTP*|*|*|*"*|* $N$D30|Bad$ envelop$ from$ address
> >
> > It's not perfect and can't get all unbalanced double quotes identified
> > when the number of double quotes occurs more than 3 times. And the
> > sort of regular expression that MS provides for mappings is quite
> > brain dead. Can't figure out a way to precisely write a pattern that
> > check for unbalanced quotes, without resorting to writing a C routine.
> >
> > Jeff
> >
> > On Thu, Apr 24, 2008 at 8:57 PM, Jesse Thompson
> > <jesse.thompson at doit.wisc.edu> wrote:
> >> Hi Jeff,
> >>
> >>  I'll let Eino address the gross crashing issue.  But I have a workaround
> >> for you.
> >>
> >>  This FROM_ACCESS mapping will do the trick.  After seeing a lot of
> garbage
> >> in our queues due to 'mail from's with control characters, we did an
> >> analysis (from our mail logs and searching around for what others are
> doing)
> >> on a reasonable policy for valid characters in the local part of the mail
> >> from.  I know that we should technically be allowing more characters per
> the
> >> RFC, but we've been running like this for a while and haven't had any
> >> complaints.
> >>
> >>  Jesse
> >>
> >>  (in case you can't tell, the space character is covered by the range
> ascii
> >> hex 0x01-0x21 (space is 0x20) which shows up visually as ^A-! note: the
> ^A
> >> is what is printed in the terminal, but it's actually ascii hex 0x01.
> Let
> >> me know if you need help typing that in (it's not ^ and A); it's possible
> to
> >> do with vim and a bit of googling.)
> >>
> >>
> >>  FROM_ACCESS
> >>  !
> >>  ! Require EHLO/HELO
> >>   *|*|*|*|*|SMTP/|*|*|*|* $N$D900|EHLO/HELO$ argument$ required
> >>  !
> >>  ! Prohibit spaces in EHLO/HELO
> >>   *|*|*|*|*|SMTP/*$ *|*|*|*|* $NSpace$ not$ allowed$ in$ EHLO/HELO
> >>  !
> >>  ! Prohibit invalid characters in anywhere in the uid
> >>  ! ascii hex: 01-21, 24, 25, 28, 29, 2c, 3a, 3b, 3c, 3e, 5b-5e, 60, 7b,
> 7d
> >>   *|*|*|*|*|*|*|*|*$[^A-!$%(),;^`\{\}]%*@*|* $Ninvalid$ character$ in$
> mail$
> >> from
> >>  !
> >>  ! Prohibit single character questionable characters
> >>  ! in the local part of the envelope from address
> >>  ! ascii hex: 23, 26, 27, 2a, 3b, 3f, 2b, 2d, 2e, 5f, 7e
> >>   *|*|*|*|*|*|*|*|$[#&'*=?+\-._\~]%@*|* $Ninvalid$ character$ in$ mail$
> from
> >>  !
> >>  ! Prohibit quoted single character questionable characters
> >>  ! in the local part of the envelope from address
> >>  ! ascii hex: 23, 26, 27, 2a, 3b, 3f, 2b, 2d, 2e, 5f, 7e
> >>   *|*|*|*|*|*|*|*|"$[#&'*=?+\-._\~]%"@*|* $Ninvalid$ character$ in$ mail$
> >> from
> >>
> >>
> >>  Jeff Chan wrote:
> >>
> >>>
> >>>
> >>> Hi,
> >>>
> >>> I started to experiment with Gross few days ago with SJSMS. I observed
> >>> that Gross crashed regularly, without any error message, and thus left
> >>> the server out of greylisting protection.
> >>>
> >>> I use Gross 1.0rc2 and found it crashses when a spammer sends
> >>> something like this:
> >>>
> >>> MAIL FROM: <spam"mer at dom> SIZE=1000
> >>>
> >>> The mail.log shows the MS takes spam"mer at dom> SIZE=1000 as the envelop
> >>> address, without taking care of the unbalanced double quote. Although
> >>> I think it's either a MS bug or at least a configuration issue, Gross
> >>> shouldn't be crashing because of invalid inputs.
> >>>
> >>> Anyone encounters this issue? Or just me? And BTW, a little bit off
> >>> topic, what's your experience dealing with invalid characters using
> >>> the MS configuration files like mappings?
> >>>
> >>> Thanks.
> >>>
> >>> Jeff
> >>> _______________________________________________
> >>> Gross mailing list
> >>> Gross at lists.utu.fi
> >>> https://lists.utu.fi/mailman/listinfo/gross
> >>>
> >>  --
> >>   Jesse Thompson
> >>   Email/IM: jesse.thompson at doit.wisc.edu
> >>
>
> --
>    Jesse Thompson
>    Email/IM: jesse.thompson at doit.wisc.edu
>

More information about the Gross mailing list