IIS SMTP component allows mail relaying via Null Session

From: Marc Fossi (mfossi@securityfocus.com)
Date: 03/01/02


Date: Fri, 1 Mar 2002 12:01:41 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

Here's the BindView advisory for MS02-011. Looks like it can be exploited
through NULL session credentials. For an excellent article by Tim Mullen
on limiting NULL sessions, take a look here:
http://online.securityfocus.com/infocus/1352

BindView Security Advisory
--------

IIS SMTP component allows mail relaying via Null Session
Issue Date: March 1, 2002
Contact: tsabin@razor.bindview.com

Topic:
The SMTP component that comes with IIS can be used by anyone for
relaying email.

Overview:
IIS comes with a small SMTP component. The default settings allow
anyone who can authenticate to it to relay email. Because the
authentication system supports NTLM, it is possible for anyone to
authenticate using null session credentials, and then relay email.

Affected Systems:
IIS 5 servers with the the SMTP component enabled.
IIS 4 was not tested.

Impact:
The vulnerability would likely be exploited by spammers to
misappropriate bandwidth and CPU time. There does not appear to be
any way of using this vulnerability to run arbitrary code or otherwise
gain access to the vulnerable system.

Details:

The SMTP component supports the SMTP AUTH command, and allows NTLM as
an option within that. This is intended to be used by normal users to
authenticate themselves via an NTLM challenge-response. However,
because NTLM supports using null session credentials, an anonymous
user can use this mechanism to 'authenticate'. Once that is
accomplished, the SMTP service will relay email.

A sample transcript follows. The initial failure is not necessary; it
is simply to illustrate that relay requires authentication: (Release
of the actual authentication data is being delayed in accordance with
draft-christey-wysopal-vuln-disclosure-00.txt)

% telnet 192.168.8.129 25
Trying 192.168.8.129...
Connected to 192.168.8.129.
Escape character is '^]'.
220 w2ks.w2kvm.qnz.org Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at Wed, 29 Aug 2001 11:52:15 -0400
HELO foo
250 w2ks.w2kvm.qnz.org Hello [192.168.8.1]
MAIL From:<>
250 2.1.0 <>....Sender OK
RCPT To:<secure@microsoft.com>
550 5.7.1 Unable to relay for secure@microsoft.com
AUTH NTLM <etc, etc>
334 <etc, etc>
<etc, etc>
235 2.7.0 Authentication successfull
MAIL From:<>
503 5.5.2 Sender already specified
RCPT To:<secure@microsoft.com>
250 2.1.5 secure@microsoft.com
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: your SMTP server supports null sessions

yada yada yada

.
250 2.6.0 <W2KShlQ6QpPpSML5liF00000001@w2ks.w2kvm.qnz.org> Queued mail for delivery
QUIT
221 2.0.0 w2ks.w2kvm.qnz.org Service closing transmission channel
Connection closed by foreign host.

Workarounds:
Disable the SMTP service.
Disable the ability of authenticated users to relay email.
Firewall off the SMTP service from untrusted networks.

Recommendations:
Disable the SMTP service, if not needed.
Install the patch from Microsoft

References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

Microsoft's Hotfix:
Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36556
(the download page mentions ms02-012, but the patch also covers ms02-011)

Exchange 5.5: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=310669



Relevant Pages

  • Re: If I had a dollar for every Linux box...
    ... > "If your ISP has failed to set up their system properly, ... as an MVP I'm sure you won't be surprised if I object to your tone. ... However, with regard to 'POP Before SMTP', it is an old system that tried to ... companies) then the POP collection will automatically 'authenticate' all the ...
    (microsoft.public.mac.office.entourage)
  • Re: Mailer Error: Language string failed to load
    ... SMTP -> FROM SERVER: ... You're problem is you must authenticate yourself on this server before sending email. ... What you need to do is find out how Sprint requires you to authenticate. ...
    (comp.lang.php)
  • Re: remote authenticated SMTP
    ... users are connected via VPN. ... authenticate to relay, ... I would like them to be able to access our exchange server via the ... with IMAP and SMTP authenticated relaying. ...
    (microsoft.public.windows.server.sbs)
  • Re: Invalid message recipients - POP3 - using phone
    ... Have you configured your SMTP virtual server to allow authenticated users to ... Does this phone's SMTP properties allow the user authenticate his ... Ed Crowley ...
    (microsoft.public.exchange.admin)