Home page logo
/

bugtraq logo Bugtraq mailing list archives

IIS SMTP component allows mail relaying via Null Session
From: Todd Sabin <tsabin () razor bindview com>
Date: 01 Mar 2002 10:31:01 -0500


BindView Security Advisory
--------

IIS SMTP component allows mail relaying via Null Session
Issue Date: March 1, 2002
Contact:  tsabin () razor bindview com

Topic:
The SMTP component that comes with IIS can be used by anyone for 
relaying email.

Overview:
IIS comes with a small SMTP component.  The default settings allow
anyone who can authenticate to it to relay email.  Because the
authentication system supports NTLM, it is possible for anyone to
authenticate using null session credentials, and then relay email.

Affected Systems:
IIS 5 servers with the the SMTP component enabled.
IIS 4 was not tested.

Impact:
The vulnerability would likely be exploited by spammers to
misappropriate bandwidth and CPU time.  There does not appear to be
any way of using this vulnerability to run arbitrary code or otherwise
gain access to the vulnerable system.

Details:

The SMTP component supports the SMTP AUTH command, and allows NTLM as
an option within that.  This is intended to be used by normal users to
authenticate themselves via an NTLM challenge-response.  However,
because NTLM supports using null session credentials, an anonymous
user can use this mechanism to 'authenticate'.  Once that is
accomplished, the SMTP service will relay email.

A sample transcript follows.  The initial failure is not necessary; it
is simply to illustrate that relay requires authentication: (Release
of the actual authentication data is being delayed in accordance with
draft-christey-wysopal-vuln-disclosure-00.txt)

% telnet 192.168.8.129 25
Trying 192.168.8.129...
Connected to 192.168.8.129.
Escape character is '^]'.
220 w2ks.w2kvm.qnz.org Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at  Wed, 29 Aug 2001 11:52:15 -0400 
HELO foo
250 w2ks.w2kvm.qnz.org Hello [192.168.8.1]
MAIL From:<>
250 2.1.0 <>....Sender OK
RCPT To:<secure () microsoft com>
550 5.7.1 Unable to relay for secure () microsoft com
AUTH NTLM <etc, etc>
334 <etc, etc>
<etc, etc>
235 2.7.0 Authentication successfull
MAIL From:<>
503 5.5.2 Sender already specified
RCPT To:<secure () microsoft com>
250 2.1.5 secure () microsoft com 
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: your SMTP server supports null sessions

yada yada yada

.
250 2.6.0 <W2KShlQ6QpPpSML5liF00000001 () w2ks w2kvm qnz org> Queued mail for delivery
QUIT
221 2.0.0 w2ks.w2kvm.qnz.org Service closing transmission channel
Connection closed by foreign host.


Workarounds:
Disable the SMTP service.
Disable the ability of authenticated users to relay email.
Firewall off the SMTP service from untrusted networks.

Recommendations:
Disable the SMTP service, if not needed.
Install the patch from Microsoft

References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

Microsoft's Hotfix:
Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36556
(the download page mentions ms02-012, but the patch also covers ms02-011)

Exchange 5.5:  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=310669


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]