[NEWS] Lotus Domino DoS (Message Loop)

From: support@securiteam.com
Date: 08/30/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Lotus Domino DoS (Message Loop)
Message-Id: <20010830182800.D3F63138BF@mail.der-keiler.de>
Date: Thu, 30 Aug 2001 20:28:00 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Lotus Domino DoS (Message Loop)
------------------------------------------------------------------------

SUMMARY

Some oddly formed mail envelopes can cause Lotus Domino to enter a mail
routing loop and consume 100% CPU.

DETAILS

Vulnerable systems:
Lotus Domino R4.63, R5.01, R5.05 and R5.08

When a message is sent to a Lotus Domino server with an envelope similar
to:

MAIL FROM:<bounce@[127.0.0.1]>
RCPT TO:<address@domain.com>

Where domain.com is not local to the server in question, the server
attempts to bounce the message and the bounce goes into a loop, constantly
being sent back to the same server.

Workaround:
Shut down the mail server, delete the offending message from queue, and
restart the server. This will not stop the exact same thing from happening
again.

Solution:
Open Domino Administrator and connect to your Domino server.
Click on the "Configuration" tab, then on the left pane expand "Messaging"
submenu, select "Configurations". On the right panel, select your server
to open its configuration panel.

Now, you will be presented with new window named "Configuration for
server/DOMAIN"
There is a row of tabs on the top; select "Router/SMTP". You will be
presented with more tabs. Select "Restrictions and Controls" tab to get
even more tabs.

What you need is "SMTP Inbound Controls". There is a field under the
section "Inbound Sender Controls" named "Deny messages from the following
internet address/domains". Put the IP in that address, enclosed in
brackets - [127.0.0.1]. Note that you can put more than one IP address
there (i.e. your localhost and your real IP), but each must be enclosed in
its own brackets.

This workaround can save you from DoS attacks; you can even use it in the
middle of an attack to stop it. If you are already attacked and the
message bounces around, you do not need to shut down entire server, just
stop mail services, delete the message from the queue, and start services
again.

Note: This workaround is tested just for the reported vulnerability. This
should not break anything, but be careful implementing this if your Domino
server is not the main/only mail service at your location. If you
encounter problem, you can fix it easily by removing the value from the
field.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ian@orbz.org> Ian Gulliver
and <mailto:radoslav.dejanovic@zagreb.hr> Radoslav Dejanovic.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Vulnerability discovered on Lotus Domino server "admin4.nsf"
    ... I'm doing an external blackbox PT on a mail server running Lotus ... The server OS is Windows 2000 and web server is Lotus Domino. ... this vulnerability and how to get a proper sense of it. ... vulnerability management needs. ...
    (Pen-Test)
  • [NT] Lotus Domino Physical Path Revealed
    ... Due to problems handling Windows DOS devices, the Domino Server can be ... - Lotus Domino version 5.0.9a on Windows 2000 Server ... The vendor was contacted on 7 February, ...
    (Securiteam)
  • Denial of Service in Lotus Domino 5.08 and earlier HTTP Server
    ... Denial of Service in Lotus Domino 5.08 and earlier HTTP Server ... There exists a DOS in the current version of Lotus Domino 5.08 and earlier. ...
    (Bugtraq)
  • Lotus Domino DoS
    ... Some oddly formed mail envelopes can cause Lotus Domino to ... enter a mail routing loop and consume 100% CPU. ... where domain.com is not local to the server in question, ... the server attempts to bounce the message, ...
    (Bugtraq)
  • Re: Threading and returning values
    ... The e.Result is not coming out of the loop. ... I have now got my SMTP server apparently running correctly now, ... BackgroundWorker bw = new BackgroundWorker; ... // Note that in the Click event handler, ...
    (microsoft.public.dotnet.languages.csharp)