OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: mailbombing DoS easily exploitable against mail systems using MS mail clients.
From: Bill Brandt (brandtwr-ntbugtraqDRAAW.NET)
Date: Tue Feb 29 2000 - 20:23:30 CST


Exploit type: DoS via mailbombing

Issue: MS mail clients may provide a means for an attacker to multiply the
number of messages sent during an attack by N*(N+1), where N is the number of
users in the largest list group containing an SMTP address.

Platforms: All mail platforms used by MS clients containing MS Outlook 97, 98,
2000, Windows Messaging, or Exchange client.

Overview:
I recently noticed an issue with MS mail clients (Outlook, etc.). The issue is
centered around the use of Read Receipt and Delivery Receipt tags. MS clients
support these features in all versions; however, in Outlook 97, Outlook 98, and
I am told Outlook 2000 there is no way to disable the response to a read receipt
(Some Outlook Express versions do allow for no response or a prompt user to
respond). In addition, I am not aware of any way to have the Exchange server
prevent these tags from being used or any way for an admin to disable the
delivery receipt function within the Exchange server. The interaction of this
function with smtp list addresses could cause a serious DoS exploit against an
Exchange mail system or any other mail system which has a large number of MS
client users.

Details:
A attacker wishing to cause a DoS attack upon a mailsystem having MS clients
need only obtain the smtp address of a group address list (ex:
allemployeescompany.com). Once this smtp address is known, an email can be
crafted which is spoofed to be from allemployeescompany.com to
allemployeescompany.com with allemployeescompany.com in the receipt header
tags. The end is result is a message which is sent to everyone in the list. In
the case of read receipt (which I have tested), when each user opens the
message, that user's client automatically will force a receipt message to be
sent back to the entire list. An example company of 1,000 employees would see
1,000 emails with 1,000 x 1,000 replies which results in 1,001,000 messages. In
the case of larger organizations the result can be rather disasterous. Take for
instance an organization that has 100,000 members. Since the formula for the
number of messages is N*(N+1), the resulting number of messages is
10,000,100,000.

An alternate possibility is a cross attack where a spoofed messages goes to
allemployeescompany1.com from allemployeescompany2.com. This results in one
company getting N messages and the other getting N^2 read receipts. Again, in
the case of 100,000 members in the list the result is 100,000 reply messages
that when they reach the end server become 10 trillion individual replies.

Possible Steps:
Since the Administrator of a site (and even the mail user) has no way to stop a
MS client from responding to a receipt request, the only currently known steps
that can be taken are:

1. If your mail system supports a way to strip the receipt header tags coming
in from outside generated SMTP messages, make sure that the tags are removed.
(Note: Exchange does not appear to support this. If anyone knows of a way to
do this, please provide details)

2. If SMTP access is not essential for a given list, remove SMTP addresses from
that group distribution list. This will prevent outside users from utilizing
the list.