'Nettwerked Advisory; dead.letter DoS in Tin' -+ Advisory released: Tuesday December 14, 1999 Severity: Augmentation of dead.letter process in Tin Newsreader may severely slow down or crash server. Author: The Clone -+ I. Introduction II. Details III. Possible Solutions IV. Conclusion V. Contact Information -- Introduction: This advisory was written to show a serious issue involving the Tin Newsreader that system administrators must be aware of. I am in no way advocating nor condoning Denial of Service attacking. Denial of Service attacking or "DoSing" is illegal and does break the Terms of Service (TOS) with most if not all Internet Service Providers. So before you go ahead and break the law, keep in mind that you will either get a warning from your ISP, have your internet account revoked, or in some cases you will be charged. Now that I have cleared that up, let me get into detail about this solemn attack that has been greatly over looked. -- Details: It was around two weeks ago, when I was reading through alt.rave, posting articles, reading articles, (etc.) when I was suddenly disconnected (i.e. my modem hung up). I assumed that the problem was simply line-noise from my modem that spewed up high-ASCII characters which caused the disconnection. As soon as I logged back onto my account, I went into my file directory and found a 4.5MB dead.letter file. The dead.letter was obviously created when I suddenly dropped carrier. Following the discovery of the dead.letter, I did what I would usually do if I found one in my file directory... deleted it! Deleting the dead.letter didn't help. A few seconds later, the dead.letter appeared once again. Each time I reloaded my Lynx browser, the file grew by 30KB. As I attempted to figure out what was happening, the night turned into early morning. I decided my only option would be to give it up and see if the file would stop growing by the next day. At around 9:30am I checked my file directory only to find the dead.letter had grown to an enormous 25MB. "Now what could be the problem?" I asked myself. The only explanation I had was that when I disconnected from the internet, the Tin Newsreader thought I was still logged on and kept reading through the 15,000 or so messages. Every time someone posted on alt.rave, it added to the initial messages to be read through as well as the dead.letter size. Immediately I contacted the system administrator and told him about what had happened. Within half an hour, he e-mailed me back and told me he had killed the process. I assumed right. The admin told me that there was nothing I could of done to have stopped this from happening. Now if I hadn't of contacted him, this "Tin DoS" may have overloaded the 10.8GB sent-mail disk quota of my ISP... crash and burn, baby! -- Possible Solutions: What could my ISP (and others) do to stop this type of problem from occurring again? Some possible solutions are; 1. Have a disk quota limit of 20MB per member. As soon as the limit is reached, it automatically kills the process which is taking up space. In this case it's the infinitely growing Tin dead.letter file. 2. Lets say by some chance a user is suddenly disconnected from the internet while still logged onto Tin and reading newsgroups. Tin should know that there is no longer anyone reading newsgroups and immediately stop its processes. I haven't tried out this DoS with any other version of Tin except for 'tin 1.2 PL2.6 [UNIX]'. (Copyright 1991-93 Iain Lea.) -- Conclusion: This Denial of Service attack shouldn't be taken lightly by anyone. Especially ISP's and free internet shell providers who do offer Tin on their system. If anyone wishes to test this DoS on their systems using a newer version of Tin (beyond 1.2 PL2.6), please do and let me know if this attack works on it too. -- Contact Information: If you want to contact me about this article or anything, please e-mail me at: webmaster@nettwerk.hypermart.net Site: http://nettwerk.hypermart.net Group: http://www.hackcanada.com A N E T T W E R K E D P R O D U C T