'Nettwerked Advisory; dead.letter DoS in Tin'
-+
Advisory released: Tuesday December 14, 1999
Severity: Augmentation of dead.letter process in Tin Newsreader
may severely slow down or crash server.
Author: The Clone
-+
I. Introduction
II. Details
III. Possible Solutions
IV. Conclusion
V. Contact Information
--
Introduction:
This advisory was written to show a serious issue involving
the Tin Newsreader that system administrators must be aware of.
I am in no way advocating nor condoning Denial of Service attacking.
Denial of Service attacking or "DoSing" is illegal and does break
the Terms of Service (TOS) with most if not all Internet Service
Providers. So before you go ahead and break the law, keep in mind
that you will either get a warning from your ISP, have your internet
account revoked, or in some cases you will be charged.
Now that I have cleared that up, let me get into detail about this
solemn attack that has been greatly over looked.
--
Details:
It was around two weeks ago, when I was reading through alt.rave,
posting articles, reading articles, (etc.) when I was suddenly
disconnected (i.e. my modem hung up). I assumed that the problem
was simply line-noise from my modem that spewed up high-ASCII
characters which caused the disconnection.
As soon as I logged back onto my account, I went into my file
directory and found a 4.5MB dead.letter file. The dead.letter was
obviously created when I suddenly dropped carrier.
Following the discovery of the dead.letter, I did what I would
usually do if I found one in my file directory... deleted it!
Deleting the dead.letter didn't help. A few seconds later,
the dead.letter appeared once again. Each time I reloaded
my Lynx browser, the file grew by 30KB.
As I attempted to figure out what was happening, the night
turned into early morning. I decided my only option would
be to give it up and see if the file would stop growing
by the next day.
At around 9:30am I checked my file directory
only to find the dead.letter had grown to an enormous 25MB.
"Now what could be the problem?" I asked myself. The only
explanation I had was that when I disconnected from the
internet, the Tin Newsreader thought I was still logged
on and kept reading through the 15,000 or so messages.
Every time someone posted on alt.rave, it added to the
initial messages to be read through as well as the
dead.letter size.
Immediately I contacted the system administrator and told
him about what had happened. Within half an hour, he e-mailed
me back and told me he had killed the process. I assumed right.
The admin told me that there was nothing I could of done to
have stopped this from happening.
Now if I hadn't of contacted him, this "Tin DoS" may have
overloaded the 10.8GB sent-mail disk quota of my ISP...
crash and burn, baby!
--
Possible Solutions:
What could my ISP (and others) do to stop this type of
problem from occurring again? Some possible solutions are;
1. Have a disk quota limit of 20MB per member. As soon as
the limit is reached, it automatically kills the process
which is taking up space. In this case it's the infinitely
growing Tin dead.letter file.
2. Lets say by some chance a user is suddenly disconnected
from the internet while still logged onto Tin and reading
newsgroups. Tin should know that there is no longer anyone
reading newsgroups and immediately stop its processes.
I haven't tried out this DoS with any other version of Tin
except for 'tin 1.2 PL2.6 [UNIX]'. (Copyright 1991-93 Iain Lea.)
--
Conclusion:
This Denial of Service attack shouldn't be taken lightly by anyone.
Especially ISP's and free internet shell providers who do offer Tin
on their system.
If anyone wishes to test this DoS on their systems using a newer
version of Tin (beyond 1.2 PL2.6), please do and let me know if
this attack works on it too.
--
Contact Information:
If you want to contact me about this article or anything,
please e-mail me at: webmaster@nettwerk.hypermart.net
Voice-mail: 1-800-909-6042
Site: http://nettwerk.hypermart.net
Group: http://www.hackcanada.com
A
N E T T W E R K E D
P R O D U C T
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
