[openssl-dev] [openssl.org #3818] [BUG] dovecot imap-login segfault when running nmap -sV

Florian Pritz via RT rt at openssl.org
Thu Apr 23 17:51:49 UTC 2015 

Hi,

The only reply I've got on the dovecot list so far believe this to be an
openssl issue so I'm sending this to you guys.

I've noticed that nmap crashes imap-login of my dovecot (also
pop3-login) and narrowed it down to `nmap -sV -p 993 $host`. I've
noticed that if I remove "ssl_protocols = !SSLv2 !SSLv3" from my config
or enable SSLv3 rather than disabling it the segfault disappears.

I'm running on Arch Linux with dovecot 2.2.16-1 and openssl 1.0.2.a-1.
I've also attached a network capture.

I hope this is enough information to reproduce the issue. If necessary I
can recompile dovecot with debug symbols for a better backtrace.

Thanks,
Florian

dovecot.conf
https://paste.xinu.at/PUsJ/

syslog:
> Apr 21 10:52:16 karif dovecot[7849]: imap-login: Disconnected (no auth attempts in 6 secs): user=<>, rip=81.217.47.122, lip=78.46.56.141, TLS handshaking: SSL_accept() failed: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
> Apr 21 10:52:16 karif dovecot[7849]: imap-login: Fatal: master: service(imap-login): child 7879 killed with signal 11 (core not dumped - add -D parameter to service imap-login { executable } [last ip=81.217.47.122] 
> Apr 21 10:52:16 karif kernel: imap-login[7879] segfault at f0 ip 00007fb2b8b1360b sp 00007fff926ffd50 error 4 in libssl.so.1.0.0[7fb2b8af3000+6f000] 


backtrace:
> #0  0x00007f120100260b in ssl3_get_client_hello () from /usr/lib/libssl.so.1.0.0
> #1  0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0
> #2  0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0
> #3  0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #4  0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #5  0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0
> #6  0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #7  0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #8  0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #9  0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0
> #10 0x00007f120168d62c in io_loop_call_io () from /usr/lib/dovecot/libdovecot.so.0
> #11 0x00007f120168e665 in io_loop_handler_run_internal () from /usr/lib/dovecot/libdovecot.so.0
> #12 0x00007f120168d699 in io_loop_handler_run () from /usr/lib/dovecot/libdovecot.so.0
> #13 0x00007f120168d718 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0
> #14 0x00007f120162cb23 in master_service_run () from /usr/lib/dovecot/libdovecot.so.0
> #15 0x00007f1201903788 in login_binary_run () from /usr/lib/dovecot/libdovecot-login.so.0
> #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6
> #17 0x0000000000402909 in _start ()

nmap output:
>> nmap -sV --packet-trace -p 993 karif
> 
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-21 10:52 CEST
> CONN (0.0426s) TCP localhost > 78.46.56.141:80 => Operation now in progress
> CONN (0.0427s) TCP localhost > 78.46.56.141:443 => Operation now in progress
> NSOCK INFO [0.0650s] nsi_new2(): nsi_new (IOD #1)
> NSOCK INFO [0.0650s] nsock_connect_udp(): UDP connection requested to 192.168.4.1:53 (IOD #1) EID 8
> NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] (timeout: -1ms) EID 18
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.4.1:53]
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.4.1:53]
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.4.1:53] (79 bytes): .............141.56.46.78.in-addr.arpa..................karif.server-speed.net.
> NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] (timeout: -1ms) EID 34
> NSOCK INFO [0.0650s] nsi_delete(): nsi_delete (IOD #1)
> NSOCK INFO [0.0650s] msevent_cancel(): msevent_cancel on event #34 (type READ)
> CONN (0.0656s) TCP localhost > 78.46.56.141:993 => Operation now in progress
> NSOCK INFO [0.1320s] nsi_new2(): nsi_new (IOD #1)
> NSOCK INFO [0.1330s] nsock_connect_tcp(): TCP connection requested to 78.46.56.141:993 (IOD #1) EID 8
> NSOCK INFO [0.1550s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [78.46.56.141:993]
> Service scan sending probe NULL to 78.46.56.141:993 (tcp)
> NSOCK INFO [0.1550s] nsock_read(): Read request from IOD #1 [78.46.56.141:993] (timeout: 6000ms) EID 18
> NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [78.46.56.141:993]
> Service scan sending probe GetRequest to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.1610s] nsock_read(): Read request from IOD #1 [78.46.56.141:993] (timeout: 5000ms) EID 34
> NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [78.46.56.141:993]
> NSOCK INFO [6.1840s] nsock_trace_handler_callback(): Callback: READ ERROR [Connection reset by peer (104)] for EID 34 [78.46.56.141:993]
> NSOCK INFO [6.1840s] nsi_delete(): nsi_delete (IOD #1)
> NSOCK INFO [6.1840s] nsi_new2(): nsi_new (IOD #2)
> NSOCK INFO [6.1840s] nsock_connect_tcp(): TCP connection requested to 78.46.56.141:993 (IOD #2) EID 40
> NSOCK INFO [6.2050s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [78.46.56.141:993]
> Service scan sending probe SSLSessionReq to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.2060s] nsock_read(): Read request from IOD #2 [78.46.56.141:993] (timeout: 5000ms) EID 58
> NSOCK INFO [6.2060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [78.46.56.141:993]
> NSOCK INFO [6.2280s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [78.46.56.141:993] (7 bytes): ......(
> Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 10443): 78.46.56.141:993 is ssl.  Version: |TLSv1|||
> NSOCK INFO [6.2280s] nsi_delete(): nsi_delete (IOD #2)
> NSOCK INFO [6.2280s] nsi_new2(): nsi_new (IOD #3)
> NSOCK INFO [6.2280s] nsock_connect_ssl(): SSL connection requested to 78.46.56.141:993/tcp (IOD #3) EID 65
> NSOCK INFO [6.3370s] nsock_trace_handler_callback(): Callback: SSL-CONNECT SUCCESS for EID 65 [78.46.56.141:993]
> Service scan sending probe NULL to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.3370s] nsock_read(): Read request from IOD #3 [78.46.56.141:993] (timeout: 6000ms) EID 74
> NSOCK INFO [6.3960s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 74 [78.46.56.141:993] (114 bytes)
> Service scan match (Probe NULL matched with NULL line 1312): 78.46.56.141:993 is SSL/imap.  Version: |Dovecot imapd|||
> NSOCK INFO [6.3960s] nsi_delete(): nsi_delete (IOD #3)
> Nmap scan report for karif (78.46.56.141)
> Host is up (0.023s latency).
> rDNS record for 78.46.56.141: karif.server-speed.net
> PORT    STATE SERVICE  VERSION
> 993/tcp open  ssl/imap Dovecot imapd
> 
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds


-------------- next part --------------
A non-text attachment was scrubbed...
Name: imap-login-crash.pcapng.gz
Type: application/gzip
Size: 7625 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150423/4b8eb1ef/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150423/4b8eb1ef/attachment-0001.sig>

More information about the openssl-dev mailing list