On Mon, 28 Jul 2003 11:36:35 -0700, [EMAIL PROTECTED] (Justin Mason) writes:
> Scott A Crosby writes:
> >Even in the case of perl, O(n^2) is noticable. Here, I show the number
> >of '.''s and the corresponding runtime. Observe:
> >
> >
> >1000 elapsed 0.17
> >2000 elapsed 0.7
>
> SpamAssassin should be just about here for most REs -- at least the ones
> that operate in "body" tests, due to splitting lines at an arbitrary limit
> of 2048 chars (that's MAX_BODY_LINE_LENGTH).
*hmm* Could this be a way to get around content-filtering? Put a noisy
body at the beginning, say, within an HTML comment or as nonsense
within a HTML tag. Say, something like:
<A HREF="foobar" BLAH="BIG_LONG_STRING">?
Also, forcing the victim to burn a second for every 2kb is still
interesting. There's nothing that keeps the attacker from repeating
this sort of thing every paragraph, so a 60kb email takes >30 seconds.
>
> If this issue appears in header regexps, or "rawbody" or "full" tests
> though, we probably need to do something similar there too...
>
Doing a quick eyeball. (I'm working on software to more automatically
identify these sorts of problems.) It looks like this occurs in header
processing. Other than that last regexp, which I repeat below, there's
two that seem as if they're to extract fields out of Recieved:
headers. Note that these regexp's are unparsed from an internal
syntax tree and may not appear exactly as-is in the SA source.
2 'by[\t ]+\w+(?:[\-.0-9A-Z_a-z]+\.)+\w+'
2 'from[\t ]+\w+(?:[\-.0-9A-Z_a-z]+\.)+\w+'
2 '[EMAIL PROTECTED](?:[\-.0-9A-Z_a-z]+\.)+\w+'
These three are subject to exponential attack on many engines, though
not on current perl.
Eyeballing the list quickly, I see a few others that are suspicious
and may be subject to attack.
1 '<input name=.{0,5}submit.{0,99} Submit By E-Mail '
With an input similar to:
'<input name=submit Sub
<input name=submit Sub
<input name=submit Sub
<input name=submit Sub
<input name=submit Sub
<input name=submit Sub
'
The perl regexp match engine has an optimization that avoids an
unexpected surprise here. Particularily, it scans the input for the
substring '<input name=' and avoids the regexp engine if it fails to
see ' Submit By E-Mail ' occur at an offset [18..122] beyond that
point. Thats luck.
Another example:
1 '[0-9a-z]{6,24}[\-0-9_a-z]{12,36}[0-9a-z]{6,24}\s*'
Here, an input chosen from the set
('abcdefghij' . ( '-abcde' x 7)) x $n
Is only processed at 9kb/sec.
And here are a few others that have caught my eye.
1 '\S{0,20}(?:\D[24](?:yo)?u|for-*you)(?:[\-.]\S{1,20})[EMAIL
PROTECTED],20}\.(?:net|com|org|info)'
1 '\nX-Habeas-SWE-1:.{0,512}X-Habeas-SWE-9:.{0,64}\n'
1 'free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}quote'
Scott
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
