Re: [RCU] Malicious header causing RoundCube to hang (load forever)

[A.L.E.C]

On 09/07/2016 05:07 PM, Luescher Claude wrote:
> [07-Sep-2016 16:58:48 +0200]: <06631i17> [0B8F] C: A0009 UID MOVE 5 Spam
> [07-Sep-2016 16:58:48 +0200]: <06631i17> [0B8F] S: A0009 NO [CANNOT] Failed 
> to create spool file

Something's trying to move the message to spam and it fails. So, the bug
is in imap as you see above, but I think you're using some plugin,
because Roundcube does not move messages to to Spam when accessing them.
So, this might be caused by some plugin.

I also think that maybe you hit another issue. Is your session_lifetime
setting a very big value? Set it to something sensible, like 60.

Use debug_level=1.

-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]

PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Re: [RCU] Malicious header causing RoundCube to hang (load forever)

[Luescher Claude]

Hello,

Well I can easily reproduce that error any time even using the censored 
out header file I have sent you. Just copy pasting that message into a 
new file like


1472824758.M248861P20044.server1\,S\=3063\:2\,S

and going there in roundcube.

https://s10.postimg.org/50p3nrbl5/rchangs.png

I am certain it is a roundcube issue, it is like rc would be expecting 
some data from the server and it is keep bashing the imapproxy or 
dovecot for it (almost like DOS).


Enabling the imap log was a good idea. I did not know about this just 
$config['debug_level'] = 8; which did not help.


So I attaching the first 1k line of the log, it grow to 1.5MB in seconds 
but it does the same thing over and over.



On 2016-09-07 11:11, A.L.E.C wrote:

On 07.09.2016 10:38, Luescher Claude wrote:

I have a strange header which causes Roundcube Webmail 1.2.0 to hang.
Could you please investigate why and fix this in the next version?
I have removed the ips and the domains from the message but it should
produce the same results and I can confirm it was not the body but the
header which caused the issue. I had to do bunch of traffic sniffing
between the rc<>dovecot until I figured out that this is the root 
cause.


I'm unable to reproduce.

Disable all plugins, enable imap_debug in Roundcube. Maybe this will
give you some hints. What exactly "it hangs" means? Maybe dovecot 
hangs,

not Roundcube? Any errors in log?
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * OK [CAPABILITY IMAP4rev1 
LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN 
AUTH=CRAM-MD5] mail.company.com is ready
[07-Sep-2016 16:58:32 +0200]:  [CFA6] C: A0001 ID ("name" "Roundcube" 
"version" "1.2.0" "php" "5.4.45-0+deb7u4" "os" "Linux" "command" 
"/?_task=login")
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * ID ("name" "Dovecot")
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: A0001 OK ID completed.
[07-Sep-2016 16:58:32 +0200]:  [CFA6] C: A0002 AUTHENTICATE CRAM-MD5
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: + 
PDc5NzgzNDkzNDU2MjA3MTcuMTQ3MzI2MDMxMkB0YW5nb21haWxjbG91ZDE+
[07-Sep-2016 16:58:32 +0200]:  [CFA6] C: ** [62]
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: A0002 OK [CAPABILITY 
IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY 
THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL 
CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 
CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS 
SPECIAL-USE BINARY MOVE QUOTA] Logged in
[07-Sep-2016 16:58:32 +0200]:  [CFA6] C: A0003 NAMESPACE
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * NAMESPACE (("" "/")) NIL 
NIL
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: A0003 OK Namespace completed.
[07-Sep-2016 16:58:32 +0200]:  [CFA6] C: A0004 LIST (SPECIAL-USE) "" 
"*" RETURN (SUBSCRIBED)
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * LIST (\Subscribed \Junk) 
"/" Spam
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * LIST (\Subscribed \Trash) 
"/" Trash
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * LIST (\Subscribed \Sent) 
"/" Sent
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: * LIST (\Subscribed \Drafts) 
"/" Drafts
[07-Sep-2016 16:58:32 +0200]:  [CFA6] S: A0004 OK List completed.
[07-Sep-2016 16:58:32 +0200]: <06631i17> [CFA6] C: A0005 LOGOUT
[07-Sep-2016 16:58:32 +0200]: <06631i17> [CFA6] S: * BYE Logging out
[07-Sep-2016 16:58:32 +0200]: <06631i17> [CFA6] S: A0005 OK Logout completed.
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: * OK [CAPABILITY IMAP4rev1 
LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN 
AUTH=CRAM-MD5] mail.company.com is ready
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] C: A0001 ID ("name" "Roundcube" 
"version" "1.2.0" "php" "5.4.45-0+deb7u4" "os" "Linux" "command" 
"/?_task=mail&_token=3ZIb0FIz9XrZD7j57h9kz53V8kPiLkV1")
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: * ID ("name" "Dovecot")
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: A0001 OK ID completed.
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] C: A0002 AUTHENTICATE CRAM-MD5
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: + 
PDI0MzM4OTk0MDQyNDM1MjAuMTQ3MzI2MDMxMkB0YW5nb21haWxjbG91ZDI+
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] C: ** [62]
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: A0002 OK [CAPABILITY 
IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY 
THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL 
CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 
CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS 
SPECIAL-USE BINARY MOVE QUOTA] Logged in
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] C: A0003 LIST (SUBSCRIBED) "" 
"*"
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: * LIST (\Subscribed) "/" 
Drafts
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: * LIST (\Subscribed) "/" Spam
[07-Sep-2016 16:58:32 +0200]: <06631i17> [E63E] S: * LIST (\Subscribed) "/" 
Trash
[07-Sep-2016 16:58:32 

Re: [RCU] Malicious header causing RoundCube to hang (load forever)

[A.L.E.C]

On 07.09.2016 10:38, Luescher Claude wrote:
> I have a strange header which causes Roundcube Webmail 1.2.0 to hang.
> Could you please investigate why and fix this in the next version?
> I have removed the ips and the domains from the message but it should
> produce the same results and I can confirm it was not the body but the
> header which caused the issue. I had to do bunch of traffic sniffing
> between the rc<>dovecot until I figured out that this is the root cause.

I'm unable to reproduce.

Disable all plugins, enable imap_debug in Roundcube. Maybe this will
give you some hints. What exactly "it hangs" means? Maybe dovecot hangs,
not Roundcube? Any errors in log?

-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]

PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

[RCU] Malicious header causing RoundCube to hang (load forever)

[Luescher Claude]

Hello,

I have a strange header which causes Roundcube Webmail 1.2.0 to hang. 
Could you please investigate why and fix this in the next version?
I have removed the ips and the domains from the message but it should 
produce the same results and I can confirm it was not the body but the 
header which caused the issue. I had to do bunch of traffic sniffing 
between the rc<>dovecot until I figured out that this is the root cause.
If you drop this file into a user's Maildir/cur/ folder and go there 
with RoundCube it should reproduce the same issue (as a body message it 
will do nothing so safe to send it to the list):


cat ./1472824758.M248861P20044.server1\,S\=3027\:2\,S

-START OF HEADER-
Return-Path: 
Delivered-To: us...@company.com
Received: from mail.company.com (localhost [x.x.x.x])
by mail.company.com (Postfix) with ESMTP id E7D1026C11C
for ; Mon, 29 Aug 2016 08:27:45 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on 
mail.company.com

X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=7.5
Received: from rfout02.hes.trendmicro.eu (rfout02.hes.trendmicro.eu 
[x.x.x.x])

by mail.company.com (Postfix) with ESMTPS id DC40C26C064
for ; Mon, 29 Aug 2016 08:27:45 +0200 (CEST)
Received: from x.x.x.x_hes.trendmicro.com (unknown [x.x.x.x])
by rfout02.hes.trendmicro.eu (Postfix) with ESMTPS id BF456225F6D
for ; Mon, 29 Aug 2016 06:17:20 + (UTC)
Received: from x.x.x.x_hes.trendmicro.com (unknown [x.x.x.x])
by rout03.hes.trendmicro.eu (Postfix) with SMTP id 7A8177C0057
for ; Mon, 29 Aug 2016 06:17:20 + (UTC)
Received: from mail.company2.org (unknown [x.x.x.x])
by relay02.hes.trendmicro.eu (Postfix) with ESMTPS id 6BE33980047
for ; Mon, 29 Aug 2016 06:17:19 + (UTC)
Received: from MAIL.company2.local ([::1]) by MAIL.company2.local 
([::1]) with mapi id

 14.03.0301.000; Mon, 29 Aug 2016 08:17:18 +0200
From: John Smith 
To: "us...@company.com" 
Subject: TR: [SPAM]Concert "Bouquet musical" , mp3-Dateien a PDF-Dateie 
mat

 Texter an Nouten
Thread-Topic: [SPAM]Concert "Bouquet musical" , mp3-Dateien a PDF-Dateie 
mat

 Texter an Nouten
Thread-Index: AQHR9mbF9TuUo8df8kCTB9YEG142H6BfjSZQ
Date: Mon, 29 Aug 2016 06:17:18 +
Message-ID: 


References: 
In-Reply-To: 
Accept-Language: fr-FR, fr-LU, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [x.x.x.x]
Content-Type: multipart/alternative;
boundary="_000_E54FA90E30A67D49BCD6EA271055EC6957862C69MAILcompany2local_"
MIME-Version: 1.0
X-TMASE-Version: StarCloud-1.3-8.1.1054-22542.005
X-TMASE-Result: 10--10.160600-7.00
X-TMASE-MatchedRID: 
vXngJm2IhaXQ4MR9L2a0LZGdYYDOHOGR7gRQ1q/7uAqv2yd8VYUPyfYI

cXEHn262y6zo19bmLk75ssOgQEJhs7bc/wmz9cRm3BgOPjbqzrky5QwGsWguh+jBkiQTsogiyVI
KeeL/q1mr3oW6uMfKr0mlX2scVfeP7a7m7fE5C+HBtFDYGmaWKhrL4FDGAJ+Flvs2jSyutOTsoE
FnZAFTLNDbef4/mkgxFCOLNe0Jd9NZiostRfaYC7iMC5wdwKqddwX/SSKrKHgPGMG6AkHPPKBDB
389eXAYzAxLg4NeYKyURP9PtVdrmw5VocU4CFzq2x/FmlC/aoy08Z6Wwo67iOeU0qFv58B+zdlo
26al4KGW00p9LWWxD/jDlA9c5qydUuluVE/y9/QOsNNBnlgRWn0tCKdnhB58r10pknZXGJr5kvm
j69FXvEl4W8WVUOR/b2CjU/es000UqDlyn7IGcY0BhmZnJsxhl52+VyjGsawHH6f9vryVO4HT8S
JnXu7uvYvbQsuiBK0rMM8TiN/HHMjCIMeZLD0ymgnARUAtoS4=
X-TM-AS-URLRatingInfo: 
81-38-=?us-ascii?B?aHR0cHM6Ly8xZHJ2Lm1zL2YvcyFBazJ0NU

FtZmJaWTVpMVp4azdPT2MtSW1YdVox?=
X-TM-AS-URLRatingAct: 60-
X-TM-Deliver-Signature: DE62BF0E055B7C180A70FEE36BA754C7
X-Virus-Scanned: clamav-milter 0.96.5 at mail.company.com
X-Virus-Status: Clean
-END OF HEADER-

Thx
___
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users