Network Associates WebShield SMTP Trailing Period DoS Vulnerability
BID:1589
Info
Network Associates WebShield SMTP Trailing Period DoS Vulnerability
| Bugtraq ID: | 1589 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 18 2000 12:00AM |
| Updated: | Aug 18 2000 12:00AM |
| Credit: | Posted to Bugtraq on August 18, 2000 by Scott Perry <[email protected]>. |
| Vulnerable: |
Network Associates WebShield SMTP 4.5 |
| Not Vulnerable: |
Network Associates WebShield SMTP 4.5.74 .0 Network Associates WebShield SMTP 4.5.44 Network Associates WebShield SMTP 4.5 MR1a |
Discussion
Network Associates WebShield SMTP Trailing Period DoS Vulnerability
A certain configuration of Network Associates WebShield SMTP is vulnerable to a remote denial of service attack. If WebShield and the mailserver are installed on the same machine and the "Direct Send" option has been enabled in the "Delivery" - "Mail Send" configuration in WebShield, this vulnerability can be exploited by sending an email with a dot character trailing the domain name such as '[email protected].'
In this case, Company XYZ with the domain of companyxyz.com is used as an example. The server running WebShield SMTP at Company XYZ does not recognize that '[email protected].' is equivalent to '[email protected]' even though both are Fully Qualified Domain Names (FQDN). Therefore, if a remote user attempts to send an email to '[email protected].' (note the trailing period), WebShield SMTP will not recognize 'companyxyz.com.' as a local domain.
WebShield SMTP will then proceed to look up the MX (mail exchange, enables querying of MX records from a Domain Name Server) record for 'companyxyz.com.' and send itself a copy of the message while adding a 'Received:' line. WebShield SMTP will continue to send itself the email, each time adding a 'Received:' line, indefinitely until either the offending email is manually removed or CPU resources are utilized to such a degree that the application crashes. WebShield will continue this process, even after a reboot, until the offending email is manually removed.
This exploit will only work if a MX record is pointing to the domain.
A certain configuration of Network Associates WebShield SMTP is vulnerable to a remote denial of service attack. If WebShield and the mailserver are installed on the same machine and the "Direct Send" option has been enabled in the "Delivery" - "Mail Send" configuration in WebShield, this vulnerability can be exploited by sending an email with a dot character trailing the domain name such as '[email protected].'
In this case, Company XYZ with the domain of companyxyz.com is used as an example. The server running WebShield SMTP at Company XYZ does not recognize that '[email protected].' is equivalent to '[email protected]' even though both are Fully Qualified Domain Names (FQDN). Therefore, if a remote user attempts to send an email to '[email protected].' (note the trailing period), WebShield SMTP will not recognize 'companyxyz.com.' as a local domain.
WebShield SMTP will then proceed to look up the MX (mail exchange, enables querying of MX records from a Domain Name Server) record for 'companyxyz.com.' and send itself a copy of the message while adding a 'Received:' line. WebShield SMTP will continue to send itself the email, each time adding a 'Received:' line, indefinitely until either the offending email is manually removed or CPU resources are utilized to such a degree that the application crashes. WebShield will continue this process, even after a reboot, until the offending email is manually removed.
This exploit will only work if a MX record is pointing to the domain.
Exploit / POC
Network Associates WebShield SMTP Trailing Period DoS Vulnerability
Send an email with a period trailing the email address to a host running WebShield SMTP.
Send an email with a period trailing the email address to a host running WebShield SMTP.
Solution / Fix
Network Associates WebShield SMTP Trailing Period DoS Vulnerability
Solution:
WebShield 4.5MR1a and later are not vulnerable to this issue. Users are advised to upgrade to the latest version of WebShield.
Solution:
WebShield 4.5MR1a and later are not vulnerable to this issue. Users are advised to upgrade to the latest version of WebShield.