[22564] in bugtraq
Re: Microsoft Security Bulletin MS01-047
daemon@ATHENA.MIT.EDU (Craig Boston)
Fri Sep 7 17:41:07 2001
Date: Fri, 7 Sep 2001 14:55:40 -0500 (CDT)
From: Craig Boston <craig@wmhza.gank.org>
To: H D Moore <hdm@secureaustin.com>
Cc: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Disposition: INLINE
In-Reply-To: <20010907005504.8679.qmail@securityfocus.com>
Reply-To: craig@wmhza.gank.org
Message-Id: <20010907195528.0020E62B1@mail.gank.org>
On Thu, 6 Sep 2001 19:54:58 -0500 H D Moore <hdm@secureaustin.com> wrote:
> I thought this was a feature ;)
>
> To dump the complete GAL:
> http://exchangesvr/exchange/finduser/fumsg.asp
I tried this on my 5.5 SP4 server with OWA. I replaced http with https as
I have IIS configured to only allow encrypted access to the /exchange tree
and got redirected back to the logon screen since I didn't have a session cookie.
> If you get redirected back to the logon page immediately, it means that you
> must establish a session with your browser first. To do that, just browse to:
>
> http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0
This request gets me a blank page with a javascript popup saying "This page
has been disabled, please see your administrator." I got an ASPSESSIONID
cookie, however the first URL still redirects me back to the logon page. I
encountered similar results with Aviram Jenik's method.
My guess is this is because I have disabled anonymous access to public
folders. I'm not 100% sure but it would appear at first glance that this
provides some protection against the GAL enumeration exploit.
Exchange Administrator, Site/Configuration/Protocols/HTTP and uncheck both
boxes about anonymous access. Probably a good idea anyway if you have no
public folders that need to be accessed anonymously.
--
Craig Boston, CCNA
Network Administrator
Owen Oil Tools, Inc.
