[NT] Authentication Flaw Allows Unauthorized Users to Authenticate SMTP Service

From: support@securiteam.com
Date: 02/28/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 28 Feb 2002 13:29:39 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Authentication Flaw Allows Unauthorized Users to Authenticate SMTP Service
------------------------------------------------------------------------

SUMMARY

The SMTP service is installed by default as part of Windows 2000 server
products and as part of the Internet Mail Connector (IMC) for Microsoft
Exchange Server 5.5. (The IMC, also known as the Microsoft Exchange
Internet Mail Service, provides access and message exchange to and from
any system that uses SMTP). A vulnerability results in both services
because of a flaw in the way they handle a valid response from the NTLM
authentication layer of the underlying operating system.

By design, the Windows 2000 SMTP service and the Exchange Server 5.5 IMC,
upon receiving notification from the NTLM authentication layer that a user
has been authenticated, should perform additional checks before granting
the user access to the service. The vulnerability results because the
affected services do not perform this additional checking correctly. In
some cases, this could result in the SMTP service granting access to a
user solely based on their ability to successfully authenticate to the
server.

An attacker who exploited the vulnerability could gain only user-level
privileges on the SMTP service, thereby enabling the attacker to use the
service but not to administer it. The most likely purpose in exploiting
the vulnerability would be to perform mail relaying via the server.

DETAILS

Affected software:
 * Microsoft Windows 2000
 * Microsoft Exchange Server 5.5

Mitigating factors:
 * Exchange 2000 servers are not affected by the vulnerability because
they correctly handle the authentication process to the SMTP service.
 * The vulnerability would not enable the attacker to read other users'
email, nor to send mail as other users.
 * Best practices recommend disabling unneeded services. If the SMTP
service has been disabled, the mail relaying vulnerability could not be
exploited.
 * The vulnerability would not grant administrative privileges to the
service, nor would it grant the attacker the ability to run programs or
operating system commands.

Patch availability:
Download locations for this patch
 * Microsoft Windows 2000 Server, Professional, and Advanced Server:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID= 36556>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID= 36556
 * Exchange Server 5.5:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423
 * Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server is hardware-specific and
available from the original equipment manufacturer.

What's the scope of the vulnerability?
This vulnerability could enable an unauthorized user to consume resources
of a mail server without authorization. This could enable an attacker to
disguise the origination point of a mail, or co-opt a server's resources
for mass mailings.

This vulnerability is subject to constraints:
 * It would only affect servers running the Exchange Server 5.5 Internet
Mail Connector service or the native Windows 2000 SMTP service.
 * It would not grant administrative privileges to the service, nor would
it grant the attacker the ability to run programs or operating system
commands.
 * Mail servers running Exchange 2000 are not be affected by this
vulnerability.

What causes the vulnerability?
The vulnerability results because of an authentication error affecting
both the SMTP service in Windows 2000 and the Exchange Server 5.5 Internet
Mail Connector. Both of these services should perform additional checking
before granting mail privileges to a user who has authenticated to the
server; however, they do not do so correctly.

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery
of mail via the Internet, defined in RFCs 2821 and 2822. The protocol
defines the format of mail messages, the fields in them and their
contents, and the handling procedures for mails. An SMTP service is
provided with Windows 2000 and installs by default on server products.

What is the Exchange 5.5 Internet Mail Connector?
The Internet Mail Connector (IMC) is the component in Exchange Server 5.5
that allows mail to be sent to and received from other servers that use
SMTP. It installs by default as part of Exchange Server 5.5, and is
sometimes referred to as the Exchange Server 5.5 Internet Mail Service.

What is wrong with the Windows 2000 SMTP service and the Exchange Server
5.5 IMC?
Before a user can make use of a mail service, they first must authenticate
to the server. However, even if this is done successfully, the mail
services themselves should perform additional checking to ensure that it's
appropriate to let the user access them. Neither the Windows 2000 SMTP
service nor the Exchange Server 5.5 IMC performs this additional checking
correctly. The result is that a user who could successfully authenticate
to the server would always have the ability to use the mail services, even
if it is not appropriate.

What would this enable the attacker to do?
The vulnerability would enable an attacker to levy mail requests as an
authorized user. That is, it would enable the attacker to send mail. The
most likely use of this vulnerability would be in performing mail
relaying.

What's mail relaying?
Mail relaying is a practice in which e-mail is routed to an intermediate
mail server, which then delivers it to the recipient's mail server. Mail
relaying is often a legitimate practice. For example, suppose a company
with several servers has designated one of them as a mail gateway to the
Internet. Any e-mail sent to the company would arrive at the gateway
server, and then be relayed to the appropriate server for delivery to the
recipient.

However, malicious users also sometimes try to perform unauthorized mail
relaying. For example, a spammer who has a low-end server and a slow
network connection might use mail relaying in order to get someone else's
higher-powered mail server and fast network connection to send spam on
their behalf. Mail relaying also has been misused to disguise the point of
origination for an email.

Would the vulnerability allow the attacker to take any other actions on
the server?
The vulnerability would only confer user-level privileges on the SMTP
service to the attacker - it would not grant administrative privileges to
the service, nor would it grant the attacker the ability to run programs
or operating system commands, nor would it allow the attacker to read,
create, or send other users' mail.

Does this affect all Windows 2000 servers?
A Windows 2000 server would only be affected by it if the SMTP service is
installed and running. This is the default configuration; however,
Microsoft always recommends reviewing the list of services and disabling
any of those that are not needed.

Does the vulnerability affect the SMTP service in Windows NT 4.0?
No. Only the SMTP services that ship with Windows 2000 or the Exchange
Server 5.5 IMC are affected.

Does this vulnerability affect Windows XP Professional?
Windows XP Professional was tested and is not affected by this
vulnerability.

I am running Exchange Server 5.5 on a Windows 2000 system. Should I apply
the Windows 2000 patch or the Exchange Server 5.5. patch?
Administrators of Exchange 5.5 only need apply the latest IMC patch
described below. It is not necessary to apply the Windows 2000 patch.

I am running Exchange Server 2000. Do I need a patch?
No. Even though Exchange Server 2000 can be installed on a Windows 2000
server (and indeed, it is the only system it can be installed on),
Exchange Server 2000 is not affected by this vulnerability. Exchange
Server 2000 installs components that perform the additional checking
correctly.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the SMTP service
properly authenticates users before allowing them to levy requests on it.

ADDITIONAL INFORMATION

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages