Dear Tim, I've never decoded these packets too, but a possible cause is the behavior of the gethostbyaddr() function in NT 4.0. According to the NT Resource Kit, gethostbyaddr() uses this sequence: 1. Check local computer host name. 2. Check the HOSTS file for a matching address entry. 3. If a DNS server is configured, query it. 4. If no match is found, send a NetBIOS Adapter Status Request to the IP address being queried, and if it responds with a list of NetBIOS names registered for the adapter, parse it for the computer name. My guess is that Exchange IMC is calling gethostbyaddr() to make the reverse lookup of the incoming SMTP server. Not finding the information in DNS, it sends out an nbt query (udp port 137) to the incoming machine. Maybe a bogus netbios nameserver could be used to spoof the name for the incoming machine, but i can't see any serious security implications in this case. Cheers, - Fernando Cima ---------- De: Tim Bass Para: BUGTRAQat_private Enviada: 30/05/98 10:17:38 Assunto: MS Exchange Protocol Vulnerability It seems that MS Exchange (if configured incorrectly) sends netbios-ns packet across the Internet to originating SMTP clients during SMTP sessions. I've seen this with a server on a very large organization and have tested others that use MS Exchange and have found many that are doing the exact same thing. Here is a tcpdump snapshot of the session (names changed, of course): ----------------------------------------- tcpdump: listening on ppp0 17:00:57.361500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp: 17:00:57.371500 blackhole.silkroad.com.domain > smtp-server.hugh.org.domain: 241 17:00:57.671500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075: 17:00:57.671500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp: 17:00:57.751500 smtp-server.hugh.org.domain > blackhole.silkroad.com.domain: 17:01:00.931500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp: 17:01:01.201500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075 Note: Here is the netbio-ns packets (three to port 137 on my end) 17:01:03.181500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com. 17:01:04.661500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com. 17:01:06.161500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com. 17:01:07.671500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075: 17:01:07.671500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp: Session over. ----------------------------------------- I did not decode the packets, so I can't speak to what the MS Exchange server is actually doing/requesting/asking, but, on the surface, this appears to be a potential high-risk vulnerability; especially if the server is requesting information or services that could be compromised by setting up a bogus 137 udp service on the client side. Perhaps we'll run sniffit on this end and see what the three udp packets are hoping to fine. Regards, Insignificant Network Security Person on Vacation Running TCPDUMP As Background Noise, Goofing Off :
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:03 PDT