Next message: Chris: "Re: [7.8.2002 44916] Notice of Copyright Infringement]"
Dear Sir,
This vulnerability was discovered during a penetration test in mid
may. It was published to both the BUGTRAQ and VULN-DEV forums 45 days after
it was published to both CERT and Microsoft. Confirmation of their reciept
of this was delivered on the 29th of May 2002. Sorry mate, beat you to the
punch by about 2 months. If you would like to check the CERT internal
Reference Number is VU#197395.
Relevant e-mail is attached.
Regards,Liam.
<<Re: IIS Microsoft SMTP Service.... VU#197395>>
<<RE: IIS Microsoft SMTP Service Encapsulated SMTP Address
Vulnerability [lt]>>
<<Re: IIS Microsoft SMTP Service Encapsulated SMTP Address
Vulnerabilit y>>
> ----------
> From: Jason Edelstein[SMTP:jasonat_private]
> Reply To: Jason Edelstein
> Sent: Sunday, July 14, 2002 01:16
> To: JWC@portcullis-security.com
> Subject: hi
>
> Hi,
> I read your recent advisory on the SMTP encapsulation issue. Just out of
> interest, what date did you discover this vulnerability? What date did you
> escalate it to Microsoft?
>
> I belive I found this vulnerability and posted it on the securityfocus
> penetration testing list days earlier. If so I am happy for you to have
> credit for writing the advisory, but I should get some credit for finding
> the original bug.
>
> Regards,
> Jason
>
> ----------------------
> Sense of Security
> Jason Edelstein
> M:+61 (0)421 920 644
> F: +61 (0)2 8356 9842
> W: www.senseofsecurity.com.au
>
>
>
attached mail follows:
-----BEGIN PGP SIGNED MESSAGE-----
Hello Thomas,
Thank you for your direct report to the CERT Coordination Center. We
have assigned an internal reference number to this report and it is
included in the subject line of this e-mail message. This unique,
random number will help us track correspondence and coordinate our
activities. We would appreciate your including it in the subject line
of future correspondence about this vulnerability.
Regards,
Ian
Ian Finlay
Internet Systems Security Analyst - CERT/CC Operations
Networked Systems Survivability Program
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
CERT (R) Coordination Center Email: certat_private
Software Engineering Institute WWW: http://www.cert.org
Carnegie Mellon University Hotline: +1-412-268-7090
Pittsburgh, PA USA 15213-3890 FAX: +1-412-268-6989
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBPQToa6CVPMXQI2HJAQE+KgP/ZFSKLFPyz3rtf/zQJyKzinkm1cmTbIv2
gnjQ6pgYQmqNxIXCRBrO0lvOACL0WIfpDPV2QmuSysCeLZNkuChBtfpYIcW98i3Z
MsdCjB6EMjQWeBwj2mGzN4pWNQWXHBvuhB/KyhQKAsGNGd/hkVsh5GPD+q+n8mU+
KZ0W8gGuILw=
=R3co
-----END PGP SIGNATURE-----
attached mail follows:
Hi,
Thank you very much for your note. I forwarded this on to the program
manager for Exchange and he will research this and get back to me. As
soon as I hear anything, I will let you know what I find out.
Thanks for bringing this to our attention and for taking the time to
provide feedback. If you have any questions or concerns, please do not
hesitate to contact me.
Kind Regards,
Lynn
secureat_private
-----Original Message-----
From: TLR@portcullis-security.com [mailto:TLR@portcullis-security.com]
Sent: Wednesday, May 29, 2002 9:18 AM
To: Microsoft Security Response Center
Subject: IIS Microsoft SMTP Service Encapsulated SMTP Address
Vulnerability
Portcullis Security Advisory
IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability
Update to Microsoft Security Bulletin (MS99-027):
NT Exchange Server Encapsulated SMTP Address Vulnerability.
Vulnerability discovery and development:
Thomas Liam Romanis (Security Testing Services Manager)
Geoff M Webb (Technical Manager)
James R Turner (Senior Technical Engineer)
Affected systems:
IIS 4.0
Microsoft SMTP Service
IIS 5.0
Microsoft SMTP Service
IIS 5.1
Microsoft SMTP Service not tested yet.
Details:
Laurent Frinking of Quark Deutschland GmbH originally discovered this
vulnerability. At that time the discovery concerned all versions of
Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.
Portcullis have discovered that the Microsoft SMTP Service available
with IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP
address vulnerability even with anti-relaying features enabled.
This vulnerability allows hosts that are not authorized to relay
e-mail via the SMTP server to bypass the anti-relay features and send
mail to foreign domains.
Impact:
The anti-relay rules will be circumvented allowing spam and spoofed
mail to be relayed via the SMTP mail server.
Spam Mail:
If the Microsoft IIS SMTP Server is used to relay spam mail this
could result in the mail server being black holed causing disruption
to the service.
Spoofed e-mail:
As the Microsoft IIS SMTP Service is most often utilised in
conjunction with IIS for commercial use this flaw could be used in
order to engineer customers particularly because spoofed e-mail
relayed in this way will show the trusted web server in the SMTP
header.
Exploit:
220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905
ready at
Tue, 28 May 2002 14:54:10 +0100
helo
250 test-mailer Hello [IP address of source host]
MAIL FROM: testat_private
250 2.1.0 testat_private OK
RCPT TO: test2at_private
550 5.7.1 Unable to relay for testat_private
RCPT TO: IMCEASMTP-test+40test+2Ecomat_private
250 2.1.5 IMCEASMTP-test+40test+2Ecomat_private
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject: You are vulnerable.
Copyright (c) Portcullis Computer Security Limited 2002, All rights
reserved worldwide.
Permission is hereby granted for the electronic redistribution of
this information. It is not to be edited or altered in any way
without the express written consent of Portcullis Computer Security
Limited.
Disclaimer: The information herein contained may change without
notice. Use of this information constitutes acceptance for use in an
AS IS condition. There are NO warranties, implied or otherwise, with
regard to this information or its use. Any use of this information is
at the user's risk. In no event shall the author/distributor
(Portcullis Computer Security Limited) be held liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information.
-
attached mail follows:
-----BEGIN PGP SIGNED MESSAGE-----
***************************************************************************
[NOTE -- THIS IS AN AUTOMATED RESPONSE]
Thank you for contacting the CERT(R) Coordination Center. We
appreciate your contacting us and consider your communications with us
to be very important. Because we focus our response efforts to have
the greatest impact on the Internet community, we may be unable to
provide you with a personal response to your message.
Please review the pointers contained in this message for information
which may be of immediate use to you.
Section A - CERT/CC Current Activity
Section B - Incident Reporting Information
Section C - Vulnerability Reporting Information
If you need additional information from the CERT/CC, we encourage you
to begin by looking at our list of CERT/CC Frequently Asked Questions:
http://www.cert.org/faq/cert_faq.html
======================================================================
Section A - CERT/CC Current Activity
The CERT/CC Current Activity web page provides a summary list of the
most frequent types of incident and vulnerability activity currently
being reported to the CERT/CC.
Please refer to this regularly updated page to obtain immediate
assistance in response to frequently reported activity:
http://www.cert.org/current/current_activity.html
In addition, the latest CERT/CC documents can be found at:
* CERT Advisories - http://www.cert.org/advisories/
* CERT Incident Notes - http://www.cert.org/incident_notes/
* CERT Vulnerability Notes - http://www.kb.cert.org/vuls/
* CERT Summaries - http://www.cert.org/summaries/
* CERT Tech Tips - http://www.cert.org/tech_tips/
* What's New - http://www.cert.org/nav/whatsnew.html
* CERT/CC Web Site - http://www.cert.org/
For pointers to information about computer viruses and hoaxes,
please see:
* http://www.cert.org/other_sources/viruses.html
======================================================================
Section B - Incident Reporting Information
We appreciate receiving incident reports because it helps us to
gain a better understanding of ongoing intruder activities and
attack profiles. From the information we receive, we are able to
identify and address critical security issues within the Internet
community. Because we prioritize our response efforts to have the
greatest impact on the Internet community, we are not be able to
provide everyone with a personal response.
For general information about reporting incidents to the CERT/CC,
please see our Incident Reporting Guidelines at:
http://www.cert.org/tech_tips/incident_reporting.html
To report incidents to the CERT/CC, please send information about
the incident in plain text format to certat_private You may wish to
use our Incident Reporting Form, located at:
http://www.cert.org/reporting/incident_form.txt
The CERT/CC considers the following types of incidents to be
emergencies:
* possible life-threatening activity
* attacks on the Internet infrastructure, such as:
- root name servers
- domain name servers
- major archive sites
- network access points (NAPs)
* widespread automated attacks against Internet sites
* new types of attacks or new vulnerabilities
If you are reporting such an emergency outside our operational
hours - business days between
08:00-17:00 EST/EDT (GMT-5/GMT-4)
and require immediate assistance, then please call the CERT
hotline:
+1 412 268 7090
If you believe the intruder activity is a threat to people's
lives or to the Internet infrastructure, please contact us
immediately.
======================================================================
Section C - Vulnerability Reporting Information
If you would like to report a new type of vulnerability or
tool being used by the intruder community, we would be
interested in any details that you may have. If you are able,
please include any or all of source code, log files of
execution, and descriptions of operating dependencies. Please
feel free to submit these details in ASCII format files (where
possible) of your own design, or if you prefer to use a form,
please see the file:
http://www.cert.org/reporting/vulnerability_form.txt
Please also encrypt the report using PGP if you are able to do
so. Instructions are given at the top of the reporting form.
======================================================================
CERT(R) Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA USA 15213-3890
Internet e-mail: certat_private (monitored during business hours)
Telephone: +1-412-268-7090 24-hour hotline
CERT Coordination Center personnel answer business days
08:00-17:00 EST/EDT (GMT-5)/(GMT-4), on call for emergencies
during other hours.
Fax: +1-412-268-6989
CERT and CERT Coordination Center are registered in U.S. Patent and
Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPDNbnaCVPMXQI2HJAQHvcwQAljLIFBVtoFPoATWgbU/n5PSuz3cTT6Mw
2BEemoZN7xpQczGMDXgBapzFmTRiq3oVM1aSbpKZ6W8CGjoCQOdxGGQ22kTpFaHK
e4j+b2Juym8aOWYuEmXxaw9MVPh79Bh8eIOC3npuYEXbEvlQPRyuDyNCZq5Vwe6b
Y2ubokmJD3M=
=q5NW
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30
: Mon Jul 15 2002 - 09:15:54 PDT