[NT] IIS SMTP Component Allows Mail Relaying via Null Session (Detailed Analysis)
From: support@securiteam.comDate: 03/08/02
- Previous message: support@securiteam.com: "[UNIX] MailMan File Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 8 Mar 2002 18:01:13 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IIS SMTP Component Allows Mail Relaying via Null Session (Detailed
Analysis)
------------------------------------------------------------------------
SUMMARY
IIS comes with a small SMTP component. The default settings allow anyone
who can authenticate to it to relay email. Because the authentication
system supports NTLM, it is possible for anyone to authenticate using null
session credentials, and then relay email.
We reported this issue in our previous article:
<http://www.securiteam.com/windowsntfocus/5YP0M2A6AM.html> Authentication
Flaw Allows Unauthorized Users to Authenticate SMTP Service; this article
contains a detailed analysis of the problem.
DETAILS
Affected Systems:
IIS 5 servers with the SMTP component enabled.
IIS 4 was not tested.
Impact:
The vulnerability would likely be exploited by spammers to misappropriate
bandwidth and CPU time. There does not appear to be any way of using this
vulnerability to run arbitrary code or otherwise gain access to the
vulnerable system.
Details:
The SMTP component supports the SMTP AUTH command, and allows NTLM as an
option within that. This is intended to be used by normal users to
authenticate themselves via an NTLM challenge-response. However, because
NTLM supports using null session credentials, an anonymous user can use
this mechanism to 'authenticate'. Once that is accomplished, the SMTP
service will relay email.
A sample transcript follows. The initial failure is not necessary; it is
simply to illustrate that relay requires authentication: (Release of the
actual authentication data is being delayed in accordance with
draft-christey-wysopal-vuln-disclosure-00.txt)
% telnet 192.168.8.129 25
Trying 192.168.8.129...
Connected to 192.168.8.129.
Escape character is '^]'.
220 w2ks.w2kvm.qnz.org Microsoft ESMTP MAIL Service, Version: 5.0.2172.1
ready at Wed, 29 Aug 2001 11:52:15 -0400
HELO foo
250 w2ks.w2kvm.qnz.org Hello [192.168.8.1]
MAIL From:<>
250 2.1.0 <>....Sender OK
RCPT To:<secure@microsoft.com>
550 5.7.1 Unable to relay for secure@microsoft.com
AUTH NTLM <etc, etc>
334 <etc, etc>
<etc, etc>
235 2.7.0 Authentication successful
MAIL From:<>
503 5.5.2 Sender already specified
RCPT To:<secure@microsoft.com>
250 2.1.5 secure@microsoft.com
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: your SMTP server supports null sessions
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] MailMan File Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
