MS Exchange Protocol Vulnerability

From: Tim Bass (bassat_private)
Date: Sat May 30 1998 - 06:17:38 PDT

Next message: Nicholas Rutterford: "Re: HP-UX finger possible security hole"

Previous message: David LeBlanc: "Local Group creation on NT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It seems that MS Exchange (if configured incorrectly) sends netbios-ns
packet across the Internet to originating SMTP clients during SMTP
sessions.  I've seen this with a server on a very large organization
and have tested others that use MS Exchange and have found many
that are doing the exact same thing.  Here is a tcpdump snapshot
of the session (names changed, of course):

-----------------------------------------

tcpdump: listening on ppp0
17:00:57.361500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:
17:00:57.371500 blackhole.silkroad.com.domain > smtp-server.hugh.org.domain: 241
17:00:57.671500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075:
17:00:57.671500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:
17:00:57.751500 smtp-server.hugh.org.domain > blackhole.silkroad.com.domain:
17:01:00.931500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:
17:01:01.201500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075

Note: Here is the netbio-ns packets (three to port 137 on my end)

17:01:03.181500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com.
17:01:04.661500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com.
17:01:06.161500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com.
17:01:07.671500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075:
17:01:07.671500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:

Session over.

-----------------------------------------

I did not decode the packets, so I can't speak to what the MS Exchange
server is actually doing/requesting/asking, but, on the surface, this
appears to be a potential high-risk vulnerability; especially if the
server is requesting information or services that could be compromised
by setting up a bogus 137 udp service on the client side.

Perhaps we'll run sniffit on this end and see what the three udp packets
are hoping to fine.

Regards,

Insignificant Network Security Person on Vacation
Running TCPDUMP As Background Noise, Goofing Off

:

Next message: Nicholas Rutterford: "Re: HP-UX finger possible security hole"
Previous message: David LeBlanc: "Local Group creation on NT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:38 PDT