[New-bugs-announce] [issue31449] Potential DoS Attack when Parsing Email with Huge Number of MIME Parts
Christian Koßmann
report at bugs.python.org
Wed Sep 13 08:19:54 EDT 2017
New submission from Christian Koßmann:
Python's email parser consumes a lot of resources (CPU and memory) when parsing emails with a large amount of MIME parts. Attackers can probably exploit this behavior to perform denial-of-service (DoS) attacks.
A potentially malicious email has the following structure:
=============================================
From: sender at example.com
To: recipient at example.com
Subject: Mutlipart DoS Attack
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n"
This is a multi-part message in MIME format.
--n
b
--n
... a lot of parts here...
--n
b
--n--
=============================================
On my machine parsing an email with 1 million MIME parts takes around 20 seconds and with 10 million MIME parts over 3 minutes.
In my opinion, the number of MIME parts should be limited to some reasonable value to mitigate this kind of attack. The bug report contains a Python script with a proof-of-concept.
----------
components: email
files: multipart-dos-attack.py
messages: 302060
nosy: barry, ckossmann, r.david.murray
priority: normal
severity: normal
status: open
title: Potential DoS Attack when Parsing Email with Huge Number of MIME Parts
type: security
versions: Python 3.5, Python 3.6
Added file: https://bugs.python.org/file47138/multipart-dos-attack.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue31449>
_______________________________________
More information about the New-bugs-announce
mailing list