Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: WebShield SMTP infinite loop DoS Attack
From: Ash Hamid <ash_hamid () NAI COM>
Date: Thu, 7 Sep 2000 16:34:19 -0000


The issue listed in the Bugtrack notification with DoS 
CAN ONLY be reproduced if the following obscure 
criteria has been met: ~

1) WebShield and Mail server are on the same box
2) The "Direct Send" option has been enabled In the 
WebShield Configuration Screen "Delivery" - "Mail 
Send" Section of the product.
3) DNS has been enabled with a MX record resolving 
both "mydomain.com" & "mydomain.com." (trailing 
period)

Flow of Mail Message: ~

Mail message received by WebShield which then 
uses "Direct Send" to resolve the target location, as 
the trailing period is not recognized by "Direct Send" it 
is unsuccessful. Then a attempt is made to resolve 
by DNS, the DNS server does recognize the trailing 
period and as expected/designed points the mail 
message back to WebShield thereby generating the 
loop.

In the unlikely event that all three criteria do occur 
then the problem may be worked around by adding 
"mydomain.com." (trailing period) entry into the 
"Direct Send" listing In WebShield thereby allowing 
resolution of mail.

As the work around allows mail to be delivered as 
expected, no hotfix has been scheduled for this issue.



Description:

A DoS attack is very easy to implement on most 
WebShield SMTP setups.
Sending E-mail with a "From: " address that 
includes a period after the
domain name will cause an infinite loop using up 
resources until the server
will finally crash.  When restarted, the machine will 
continue to crash
until the offending E-mail is manually removed.


Details:

The problem occurs because WebShield SMTP 
does not recognize that
"domain_name.com" and "domain_name.com." are 
equivalent (both are valid
forms of fully qualified domain names (FQDNs); 
with the period, it is
referred to as a rooted FQDN).  Both forms should 
work with all mail clients
and servers.  However, using the trailing "." is rarely 
used (except in DNS
maintenance).

When a WebShield SMTP server is set up to 
accept incoming mail, it is
typically  configured to recognize at least one local 
domain.  This is
necessary since  WebShield SMTP is placed 
before the real SMTP server.  For
example, if you run the domain 
"domain_name.com", you would configure
WebShield SMTP to send all mail for 
"domain_name.com" to your real SMTP
server.

The problem arises when mail is sent to 
"user () domain_name com ", which is an
acceptable way to address the mail.  WebShield 
SMTP does not recognize that
"domain_name.com." is a local address (even 
though it knows that
"domain_name.com" is a local address).  So, it 
looks up the MX record for
"domain_name.com.", which points to the 
WebShield SMTP server (it always
will; that's how the mail got there in the first place).  
It then sends
itself a copy of the message, adding a "Received: " 
line (per
RFC821/RFC822).  The message will continue to 
be sent to itself, growing
each time as a new "Received: " line is added.  As 
the file gets larger (to
several megabytes), lots of CPU time is required to 
process and scan the
E-mail, and more and more disk space is used for 
the E-mail itself and log
files.

In one example, a short E-mail was looped through 
the WebShield SMTP server
over 37,000 times in under a day, growing to 4 
megabytes.  This was using
WebShield v4.5.  This can only be reproduced on a 
machine that has an MX
record pointing to it (a test machine won't normally 
be able to reproduce
this).


The Attack:

Send an mail to "anything () domain_name com ".


Work Around:

The workaround is simple.  In delivery options for 
Remote Send, under the
Direct Send option, add "domain_name.com." as 
one of the domain names to
route to the local mail server.  Do this for every 
domain name your mail
server handles.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault