OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: WebShield SMTP infinite loop DoS Attack
From: Scott Perry (scott.perryKEWILL.COM)
Date: Fri Aug 18 2000 - 10:25:45 CDT


Description:

A DoS attack is very easy to implement on most WebShield SMTP setups.
Sending E-mail with a "From: " address that includes a period after the
domain name will cause an infinite loop using up resources until the server
will finally crash. When restarted, the machine will continue to crash
until the offending E-mail is manually removed.

Details:

The problem occurs because WebShield SMTP does not recognize that
"domain_name.com" and "domain_name.com." are equivalent (both are valid
forms of fully qualified domain names (FQDNs); with the period, it is
referred to as a rooted FQDN). Both forms should work with all mail clients
and servers. However, using the trailing "." is rarely used (except in DNS
maintenance).

When a WebShield SMTP server is set up to accept incoming mail, it is
typically configured to recognize at least one local domain. This is
necessary since WebShield SMTP is placed before the real SMTP server. For
example, if you run the domain "domain_name.com", you would configure
WebShield SMTP to send all mail for "domain_name.com" to your real SMTP
server.

The problem arises when mail is sent to "userdomain_name.com.", which is an
acceptable way to address the mail. WebShield SMTP does not recognize that
"domain_name.com." is a local address (even though it knows that
"domain_name.com" is a local address). So, it looks up the MX record for
"domain_name.com.", which points to the WebShield SMTP server (it always
will; that's how the mail got there in the first place). It then sends
itself a copy of the message, adding a "Received: " line (per
RFC821/RFC822). The message will continue to be sent to itself, growing
each time as a new "Received: " line is added. As the file gets larger (to
several megabytes), lots of CPU time is required to process and scan the
E-mail, and more and more disk space is used for the E-mail itself and log
files.

In one example, a short E-mail was looped through the WebShield SMTP server
over 37,000 times in under a day, growing to 4 megabytes. This was using
WebShield v4.5. This can only be reproduced on a machine that has an MX
record pointing to it (a test machine won't normally be able to reproduce
this).

The Attack:

Send an mail to "anythingdomain_name.com.".

Work Around:

The workaround is simple. In delivery options for Remote Send, under the
Direct Send option, add "domain_name.com." as one of the domain names to
route to the local mail server. Do this for every domain name your mail
server handles.

----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)

Retina, the unparalleled network security product that scans, monitors,
alerts, and automatically fixes network security vulnerabilities. Retina
includes an auto-update feature providing continuous update of its modules,
allowing users to keep pace with the latest security vulnerabilities.
Retina, the first network security software that works like an
around-the-clock human network security analyst. Available for download;
<http://www.eeye.com/click.asp?referrer=ntbugtraq1&P;=retina>
----------------------------------------------------------------------------