6942980 2001-08-20 21:19 +0000 /49 rader/ Ian Gulliver <ian@orbz.org> Sänt av: joel@lysator.liu.se Importerad: 2001-08-21 00:32 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18861> Ärende: Lotus Domino DoS ------------------------------------------------------------ From: Ian Gulliver <ian@orbz.org> To: bugtraq@securityfocus.com Message-ID: <20010820211932.F23908@penguinhosting.net> Problem: -------- Some oddly formed mail envelopes can cause Lotus Domino to enter a mail routing loop and consume 100% CPU. Description: ------------ When a message is sent to a Lotus Domino server with an envelope similar to: MAIL FROM:<bounce@[127.0.0.1]> RCPT TO:<address@domain.com> where domain.com is not local to the server in question, the server attempts to bounce the message, and the bounce goes into a loop, constantly being sent back to the same server. Versions Affected: ------------------ Confirmed on Lotus Domino R4.63, R5.01, R5.05 and R5.08 Solution: --------- Shut down the mail server, delete the offending message from queue and restart the server. This won't stop the exact same thing from happening again. Notes: ------ I don't run Lotus Domino myself. I run the ORBZ project, and this was reported to us because our scanner generates this sort of envelope. Investigation of versions and solutions provided by Matt Dearmon of CPA Systems <matt@cpasystems.com>. Ian Gulliver ORBZ (6942980) /Ian Gulliver <ian@orbz.org>/------------- 6949015 2001-08-21 12:47 +0400 /29 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU> Sänt av: joel@lysator.liu.se Importerad: 2001-08-21 19:33 av Brevbäraren Extern mottagare: Ian Gulliver <ian@orbz.org> Extern kopiemottagare: bugtraq@securityfocus.com Externa svar till: 3APA3A@SECURITY.NNOV.RU Mottagare: Bugtraq (import) <18886> Kommentar till text 6942980 av Ian Gulliver <ian@orbz.org> Ärende: Re: Lotus Domino DoS ------------------------------------------------------------ From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: Ian Gulliver <ian@orbz.org> Cc: bugtraq@securityfocus.com Message-ID: <77256949073.20010821124735@sandy.ru> Dear Ian Gulliver, --21.08.2001 1:19, you wrote Lotus Domino DoS to bugtraq@securityfocus.com; I> MAIL FROM:<bounce@[127.0.0.1]> RCPT I> TO:<address@domain.com> I> where domain.com is not local to the server in question, I> the server attempts to bounce the message, and the bounce I> goes into a loop, constantly being sent back to the same I> server. It was reported in vuln-dev list on May, 20 2000 by SMILER <smiler@VXD.ORG> in same time with SMTP buffer overflow in Lotus. I wonder why it's not patched yet. http://www.security.nnov.ru/search/document.asp?docid=226 -- /3APA3A (6949015) /3APA3A <3APA3A@SECURITY.NNOV.RU>/(Ombruten) 6960929 2001-08-23 09:31 +0200 /60 rader/ Radoslav Dejanoviæ <radoslav.dejanovic@zagreb.hr> Sänt av: joel@lysator.liu.se Importerad: 2001-08-23 16:14 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18917> Kommentar till text 6942980 av Ian Gulliver <ian@orbz.org> Ärende: Lotus Domino DoS solution ------------------------------------------------------------ From: "Radoslav Dejanoviæ" <radoslav.dejanovic@zagreb.hr> To: <bugtraq@securityfocus.com> Message-ID: <004c01c12ba5$a4de8810$6e080b0a@glupson> > where domain.com is not local to the server in question, > the server attempts to bounce the message, and the bounce > goes into a loop, constantly being sent back to the same > server. There is "Solution v1.0pl1" for this. Open Domino Administrator and connect to your Domino server. Click on the "Configuration" tab, then on the left pane expand "Messaging" submenu, select "Configurations". On the right pane select your server to open it's configuration panel. Now, you'll be presented with new window named "Configuration for server/DOMAIN" There's a row of tabs on the top; select "Router/SMTP". You'll be presented with more tabs. Select "Restrictions and Controls" tab to get even more tabs. :-) What you need is "SMTP Inbound Controls". There's a field under the section "Inbound Sender Controls" named "Deny messages from the following internet address/domains". Put the IP in that address, enclosed in brackets - [127.0.0.1]. Note that you can put more than one IP address there (i.e. your localhost and your real IP), but each must be enclosed in it's own brackets. This is the slight change from my previous post (rejected anyway :-) - I made a mistake by selecting "Inbound Connection Controls" instead, which doesn't check for senders e-mail (what is really needed here, since From: field generates trouble, not the inbound connection; credit for the fix goes to pero.vukojevic@hal.hr). We tested this, and it rejects inbound connection made from address user@[127.0.0.1] with the nice message in the log: > 22.08.2001 17:10:32 SMTP Server: 10.11.8.110 connected 22.08.2001 17:10:32 SMTP Server [0624:0004-0200] Mail from bounce@[127.0.0.1] rejected for policy reasons. Sender is denied in your configuration. This workaround can save you from DoS attacks (I've been told of at least one such attack recently on local Domino servers here), you can even use it in the middle of an attack to stop it. If you're already attacked and the message bounces around, you don't need to shut down entire server, just stop mail services, delete the message from the queue and start services again. Note: this workaround is tested just for the reported vulnerability. This shouldn't break anything, but be careful implementing this if your Domino server is not the main/only mail service at your location. If you encounter problem, you can fix it easily by removing the value from the field, but in any case Microsoft-like EULA is applied to this message. ;-) (6960929) /Radoslav Dejanoviæ <radoslav.dejanovic@zagreb.hr>/(Ombruten)