6942980 2001-08-20 21:19 +0000  /49 rader/ Ian Gulliver <ian@orbz.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  00:32  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18861>
Ärende: Lotus Domino DoS
------------------------------------------------------------
From: Ian Gulliver <ian@orbz.org>
To: bugtraq@securityfocus.com
Message-ID: <20010820211932.F23908@penguinhosting.net>

Problem:
--------
Some oddly formed mail envelopes can cause Lotus Domino to
enter a mail routing loop and consume 100% CPU.


Description:
------------
When a message is sent to a Lotus Domino server with an
envelope similar to:

MAIL FROM:<bounce@[127.0.0.1]>
RCPT TO:<address@domain.com>

where domain.com is not local to the server in question,
the server attempts to bounce the message, and the bounce
goes into a loop, constantly being sent back to the same
server.


Versions Affected:
------------------
Confirmed on Lotus Domino R4.63, R5.01, R5.05 and R5.08


Solution:
---------
Shut down the mail server, delete the offending message
from queue and restart the server.  This won't stop the
exact same thing from happening again.


Notes:
------
I don't run Lotus Domino myself.  I run the ORBZ project,
and this was reported to us because our scanner
generates this sort of envelope.  Investigation of
versions and solutions provided by Matt Dearmon of CPA
Systems <matt@cpasystems.com>.


Ian Gulliver
ORBZ
(6942980) /Ian Gulliver <ian@orbz.org>/-------------
6949015 2001-08-21 12:47 +0400  /29 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21  19:33  av Brevbäraren
Extern mottagare: Ian Gulliver <ian@orbz.org>
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <18886>
Kommentar till text 6942980 av Ian Gulliver <ian@orbz.org>
Ärende: Re: Lotus Domino DoS
------------------------------------------------------------
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: Ian Gulliver <ian@orbz.org>
Cc: bugtraq@securityfocus.com
Message-ID: <77256949073.20010821124735@sandy.ru>

Dear Ian Gulliver,

--21.08.2001 1:19, you wrote Lotus Domino DoS to
bugtraq@securityfocus.com;

I> MAIL            FROM:<bounce@[127.0.0.1]>            RCPT
I> TO:<address@domain.com>

I> where domain.com is not local to the server in question,
I> the server attempts to bounce the message, and the bounce
I> goes into a loop, constantly being sent back to the same
I> server.


It  was  reported in vuln-dev list on May, 20 2000 by SMILER
<smiler@VXD.ORG>  in  same time with SMTP buffer overflow in
Lotus. I wonder why it's not patched yet.

http://www.security.nnov.ru/search/document.asp?docid=226


-- 
/3APA3A
(6949015) /3APA3A <3APA3A@SECURITY.NNOV.RU>/(Ombruten)
6960929 2001-08-23 09:31 +0200  /60 rader/ Radoslav Dejanoviæ <radoslav.dejanovic@zagreb.hr>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-23  16:14  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18917>
Kommentar till text 6942980 av Ian Gulliver <ian@orbz.org>
Ärende: Lotus Domino DoS solution
------------------------------------------------------------
From: "Radoslav Dejanoviæ" <radoslav.dejanovic@zagreb.hr>
To: <bugtraq@securityfocus.com>
Message-ID: <004c01c12ba5$a4de8810$6e080b0a@glupson>

> where domain.com is not local to the server in question,
> the server attempts to bounce the message, and the bounce
> goes into a loop, constantly being sent back to the same
> server.

There is "Solution v1.0pl1" for this.

Open Domino Administrator and connect to your Domino server.  Click
on the "Configuration" tab, then on the left pane expand "Messaging"
submenu, select "Configurations". On the right pane select your
server to open it's configuration panel.

Now, you'll be presented with new window named "Configuration for
server/DOMAIN" There's a row of tabs on the top; select
"Router/SMTP". You'll be presented with more tabs. Select
"Restrictions and Controls" tab to get even more tabs. :-)

What you need is "SMTP Inbound Controls". There's a field under the
section "Inbound Sender Controls" named "Deny messages from the
following internet address/domains".  Put the IP in that address,
enclosed in brackets - [127.0.0.1]. Note that you can put more than
one IP address there (i.e. your localhost and your real IP), but each
must be enclosed in it's own brackets.

This is the slight change from my previous post (rejected anyway :-)
- I made a mistake by selecting "Inbound Connection Controls"
instead, which doesn't check for senders e-mail (what is really
needed here, since From: field generates trouble, not the inbound
connection; credit for the fix goes to pero.vukojevic@hal.hr).

We tested this, and it rejects inbound connection made from address
user@[127.0.0.1] with the nice message in the log:

> 22.08.2001 17:10:32 SMTP Server: 10.11.8.110 connected
22.08.2001 17:10:32 SMTP Server [0624:0004-0200] Mail from
bounce@[127.0.0.1]
rejected for policy reasons. Sender is denied in your configuration.

This workaround can save you from DoS attacks (I've been told of at
least one such attack recently on local Domino servers here), you can
even use it in the middle of an attack to stop it.  If you're already
attacked and the message bounces around, you don't need to shut down
entire server, just stop mail services, delete the message from the
queue and start services again.

Note: this workaround is tested just for the reported
vulnerability. This shouldn't break anything, but be careful
implementing this if your Domino server is not the main/only mail
service at your location. If you encounter problem, you can fix it
easily by removing the value from the field, but in any case
Microsoft-like EULA is applied to this message. ;-)
(6960929) /Radoslav Dejanoviæ <radoslav.dejanovic@zagreb.hr>/(Ombruten)