[24528] in bugtraq
RE: IIS SMTP component allows mail relaying via Null Session
daemon@ATHENA.MIT.EDU (Toni Lassila)
Mon Mar 4 18:19:41 2002
MIME-Version: 1.0
Date: Mon, 4 Mar 2002 08:13:03 +0200
Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;
boundary="----=_NextPart_000_0000_01C1C354.66F97C20"
Message-ID: <6C60F1D0DCCC0F4FBDCA8F1668BE08AF0641EE@fp1.tekian.net>
Content-Class: urn:content-classes:message
From: "Toni Lassila" <toni.lassila@mc-europe.com>
To: "Todd Sabin" <tsabin@razor.bindview.com>
Cc: <bugtraq@securityfocus.com>
------=_NextPart_000_0000_01C1C354.66F97C20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> -----Original Message-----
> From: Todd Sabin [mailto:tsabin@razor.bindview.com]
> Sent: Friday, March 01, 2002 17:31
> To: bugtraq@securityfocus.com
> Subject: IIS SMTP component allows mail relaying via Null Session
>
> Overview:
> IIS comes with a small SMTP component. The default settings allow
> anyone who can authenticate to it to relay email. Because the
> authentication system supports NTLM, it is possible for anyone to
> authenticate using null session credentials, and then relay email.
>
> Workarounds:
> Disable the SMTP service.
> Disable the ability of authenticated users to relay email.
> Firewall off the SMTP service from untrusted networks.
I suspect turning off NTLM authentication and allowing only Basic
Authentication (with or without TLS), or alternatively disabling
null session access (details are in many MS KB) from the server
are two possible workarounds as well. Disabling null sessions is
one of those security features one should do when securing a
Windows-based server anyway.
--
Toni Lassila t.lassila@mc-europe.com
Operations Engineer +358 9 5655 1882
------=_NextPart_000_0000_01C1C354.66F97C20
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFvzCCAo4w
ggH3oAMCAQICAwTFRjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwMB4XDTAxMDUwOTA2MTY0NFoXDTAyMDUwOTA2MTY0NFowTDEfMB0GA1UEAxMWVGhhd3Rl
IEZyZWVtYWlsIE1lbWJlcjEpMCcGCSqGSIb3DQEJARYadG9uaS5sYXNzaWxhQG1jLWV1cm9wZS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK7ucmOdVTauEQk4HCFHHHN/MY8LYXIx+tBk
zgUeU0Om442Cxdktvd96a85kiP+Rtd56CQEr+ISyQLytrWHouiylGIGz8p+sjyY0r0zqFq0tUzis
Xa4URUDatlm3ZDhUZGu9x3T93kyN9JNm4acRcFepd5FldRKmQ4wYDK68FQCvAgMBAAGjNzA1MCUG
A1UdEQQeMByBGnRvbmkubGFzc2lsYUBtYy1ldXJvcGUuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZI
hvcNAQEEBQADgYEAHZWM/p/NaYhV8jXJhvYNP9MYT1gKZFsIPd9QXnaAGczy0TzYCDIBgT6GO90k
bn9Twfo5tSSSyzPTT2Vtnmo3xWpSDHJvEZUevQWl9J0qEpu5FhG1c6ZXL777C0dWIfkNBtS7Ev0m
Mtzy336ubqrWJwSwxmKy1yf17fsaRLZcyaYwggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUA
MIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv
d24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
cnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzAp
BgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAw
WhcNMDIwODI5MjM1OTU5WjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES
MBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRl
IFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz6
3K737nRvMLwzkH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzp
q+AYA6h8Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAg
pB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNV
HQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQf
uIdjdBxtt88aU5FL4c3mONntUPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX
7xe21Yibt6KIGu05Wzl9NPy2lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCB
kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD
Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMExUYwCQYFKw4DAhoFAKCCAWUwGAYJ
KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDIwMzA0MDYxMzAxWjAjBgkq
hkiG9w0BCQQxFgQU4kolczubXWKNvYy70Tdm9dnV2PgwWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYI
KoZIhvcNAgUwgasGCSsGAQQBgjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwAgMExUYwDQYJKoZIhvcNAQEBBQAEgYBTNmdAD3CWjN/VvzFmgSrjJg7prvnAliTu3MOh
pqv7u71LlXcBXyoJ9zvijMbJP+YktuP3J68UenBHC2yc8HMF1s5OgROB/uBwE06bPqbp40he1TIq
OBaZTR3lHYXo3KIG60xhMocqLDjrtlxlPXsa99U6Cazj4L+Ih0SJPeOFagAAAAAAAA==
------=_NextPart_000_0000_01C1C354.66F97C20--
