[16646] in bugtraq
Re: WebShield SMTP infinite loop DoS Attack
daemon@ATHENA.MIT.EDU (Ash Hamid)
Thu Sep 7 16:49:12 2000
Message-ID: <20000907163419.9153.qmail@securityfocus.com>
Date: Thu, 7 Sep 2000 16:34:19 -0000
Reply-To: Ash Hamid <ash_hamid@NAI.COM>
From: Ash Hamid <ash_hamid@NAI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
The issue listed in the Bugtrack notification with DoS
CAN ONLY be reproduced if the following obscure
criteria has been met: ~
1) WebShield and Mail server are on the same box
2) The "Direct Send" option has been enabled In the
WebShield Configuration Screen "Delivery" - "Mail
Send" Section of the product.
3) DNS has been enabled with a MX record resolving
both "mydomain.com" & "mydomain.com." (trailing
period)
Flow of Mail Message: ~
Mail message received by WebShield which then
uses "Direct Send" to resolve the target location, as
the trailing period is not recognized by "Direct Send" it
is unsuccessful. Then a attempt is made to resolve
by DNS, the DNS server does recognize the trailing
period and as expected/designed points the mail
message back to WebShield thereby generating the
loop.
In the unlikely event that all three criteria do occur
then the problem may be worked around by adding
"mydomain.com." (trailing period) entry into the
"Direct Send" listing In WebShield thereby allowing
resolution of mail.
As the work around allows mail to be delivered as
expected, no hotfix has been scheduled for this issue.
Description:
>
> A DoS attack is very easy to implement on most
WebShield SMTP setups.
> Sending E-mail with a "From: " address that
includes a period after the
> domain name will cause an infinite loop using up
resources until the server
> will finally crash. When restarted, the machine will
continue to crash
> until the offending E-mail is manually removed.
>
>
> Details:
>
> The problem occurs because WebShield SMTP
does not recognize that
> "domain_name.com" and "domain_name.com." are
equivalent (both are valid
> forms of fully qualified domain names (FQDNs);
with the period, it is
> referred to as a rooted FQDN). Both forms should
work with all mail clients
> and servers. However, using the trailing "." is rarely
used (except in DNS
> maintenance).
>
> When a WebShield SMTP server is set up to
accept incoming mail, it is
> typically configured to recognize at least one local
domain. This is
> necessary since WebShield SMTP is placed
before the real SMTP server. For
> example, if you run the domain
"domain_name.com", you would configure
> WebShield SMTP to send all mail for
"domain_name.com" to your real SMTP
> server.
>
> The problem arises when mail is sent to
"user@domain_name.com.", which is an
> acceptable way to address the mail. WebShield
SMTP does not recognize that
> "domain_name.com." is a local address (even
though it knows that
> "domain_name.com" is a local address). So, it
looks up the MX record for
> "domain_name.com.", which points to the
WebShield SMTP server (it always
> will; that's how the mail got there in the first place).
It then sends
> itself a copy of the message, adding a "Received: "
line (per
> RFC821/RFC822). The message will continue to
be sent to itself, growing
> each time as a new "Received: " line is added. As
the file gets larger (to
> several megabytes), lots of CPU time is required to
process and scan the
> E-mail, and more and more disk space is used for
the E-mail itself and log
> files.
>
> In one example, a short E-mail was looped through
the WebShield SMTP server
> over 37,000 times in under a day, growing to 4
megabytes. This was using
> WebShield v4.5. This can only be reproduced on a
machine that has an MX
> record pointing to it (a test machine won't normally
be able to reproduce
> this).
>
>
> The Attack:
>
> Send an mail to "anything@domain_name.com.".
>
>
> Work Around:
>
> The workaround is simple. In delivery options for
Remote Send, under the
> Direct Send option, add "domain_name.com." as
one of the domain names to
> route to the local mail server. Do this for every
domain name your mail
> server handles.
>
>
