Alert: Microsoft Security Bulletin MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 01/13/04

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execution (832483)" 
    Date:         Tue, 13 Jan 2004 15:31:51 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Microsoft Security Bulletin MS04-002:
    Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation
    (832759)

    Bulletin URL:
    http://www.microsoft.com/technet/security/bulletin/MS04-002.asp

    Summary:
     Version Number: V1.0
     Revision Date: 01-13-2004
     Impact of Vulnerability: Elevation of Privilege
     Maximum Severity Rating: Moderate
     Patch(es) Replaced: None
     Caveats: Apply the update when a disruption in OWA and Simple Mail
    Transfer Protocol (SMTP) mail flow and other Internet Information
    Services (IIS) applications is acceptable.
     CVE Number(s): CAN-2003-0904

    Tested Software:
     Affected Software:
     * Microsoft Exchange Server 2003
    <http://www.ntbugtraq.com/link/9542F949-D09B-4199-A837-FBCFC0567676.asp>

     Software Not Affected:
     * Microsoft Exchange 2000 Server
     * Microsoft Exchange Server 5.5

    Technical Description:

    A vulnerability exists in the way that Hypertext Transfer Protocol
    (HTTP) connections are reused when NTLM authentication is used between
    front-end Exchange 2003 servers providing OWA access and , when running
    Outlook Web Access (OWA) on Windows 2000 and Windows Server 2003, and
    when using back-end Exchange 2003 servers that are running Windows
    Server 2003.

    Users who access their mailboxes through an Exchange 2003 front-end
    server and Outlook Web Access might get connected to another user's
    mailbox if that other mailbox is (1) hosted on the same back-end mailbox
    server and (2) if that mailbox has been recently accessed by its owner.
    Attackers seeking to exploit this vulnerability could not predict which
    mailbox they might become connected to. The vulnerability causes random
    and unreliable access to mailboxes and is specifically limited to
    mailboxes that have recently been accessed through OWA.

    By default, Kerberos authentication is used as the HTTP authentication
    method between Exchange Server 2003 front-end and back-end Exchange
    servers. This behavior manifests itself only in deployments where OWA is
    used in an Exchange front-end/back-end server configuration and Kerberos
    has been disabled as an authentication method for OWA communication
    between the front-end and back-end Exchange servers.

    This vulnerability is exposed if the Web site that is running the
    Exchange Server 2003 programs on the Exchange back-end server has been
    configured not to negotiate Kerberos authentication, causing OWA to fall
    back to using NTLM authentication. The only known way that this
    vulnerability can be exposed is by a change in the default configuration
    of Internet Information Services 6.0 on the Exchange back-end server.
    This vulnerability cannot be exposed by a routine fallback to NTLM
    because of a problem with Kerberos authentication. This configuration
    change may occur when Microsoft Windows SharePoint Services (WSS) 2.0 is
    installed on a Windows Server 2003 server that also functions as an
    Exchange Server 2003 back-end.

    This email is sent to NTBugtraq automagically as a service to my
    subscribers. (v2.3)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----
    Editor's Note: The 43rd Most Powerful Person in Networking says...

    Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
    -----

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execution (832483)"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter # 150
      ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #142
      ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #76
      ... MICROSOFT VULNERABILITY SUMMARY ... Working Resources BadBlue Cross Site Scripting Vulnerability ... Microsoft Commerce Server 2000 ISAPI Buffer Overflow Vulnerability ... Essentia Web Server Long URL Denial Of Service Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #99
      ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Microsoft Content Management Server 2001 Vulnerabilities ... Microsoft Windows 2000 Insecure Default File Permissions... ... ArGoSoft Mail Server Pro Mail Loop Denial of Service Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #159
      ... The newest web app vulnerability... ... MICROSOFT VULNERABILITY SUMMARY ... Rit Research Labs TinyWeb Server Remote Denial of Service Vu... ... mIRC DCC SEND Buffer Overflow Vulnerability ...
      (Focus-Microsoft)