Network Associates WebShield SMTP Trailing Period DoS Vulnerability

A certain configuration of Network Associates WebShield SMTP is vulnerable to a remote denial of service attack. If WebShield and the mailserver are installed on the same machine and the "Direct Send" option has been enabled in the "Delivery" - "Mail Send" configuration in WebShield, this vulnerability can be exploited by sending an email with a dot character trailing the domain name such as 'user@companyxyz.com.'

In this case, Company XYZ with the domain of companyxyz.com is used as an example. The server running WebShield SMTP at Company XYZ does not recognize that 'user@companyxyz.com.' is equivalent to 'user@companyxyz.com' even though both are Fully Qualified Domain Names (FQDN). Therefore, if a remote user attempts to send an email to 'user@companyxyz.com.' (note the trailing period), WebShield SMTP will not recognize 'companyxyz.com.' as a local domain.

WebShield SMTP will then proceed to look up the MX (mail exchange, enables querying of MX records from a Domain Name Server) record for 'companyxyz.com.' and send itself a copy of the message while adding a 'Received:' line. WebShield SMTP will continue to send itself the email, each time adding a 'Received:' line, indefinitely until either the offending email is manually removed or CPU resources are utilized to such a degree that the application crashes. WebShield will continue this process, even after a reboot, until the offending email is manually removed.

This exploit will only work if a MX record is pointing to the domain.


 

Privacy Statement
Copyright 2010, SecurityFocus