[24551] in bugtraq
Re: IIS SMTP component allows mail relaying via Null Session
daemon@ATHENA.MIT.EDU (Todd Sabin)
Tue Mar 5 17:53:22 2002
To: "Toni Lassila" <toni.lassila@mc-europe.com>
Cc: <bugtraq@securityfocus.com>
From: Todd Sabin <tsabin@razor.bindview.com>
Date: 04 Mar 2002 23:23:02 -0500
In-Reply-To: <6C60F1D0DCCC0F4FBDCA8F1668BE08AF0641EE@fp1.tekian.net> ("Toni Lassila"'s message of "Mon, 4 Mar 2002 08:13:03 +0200")
Message-ID: <m3d6yjej89.fsf@jetcar.qnz.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
"Toni Lassila" <toni.lassila@mc-europe.com> writes:
> > Overview:
> > IIS comes with a small SMTP component. The default settings allow
> > anyone who can authenticate to it to relay email. Because the
> > authentication system supports NTLM, it is possible for anyone to
> > authenticate using null session credentials, and then relay email.
> >
> > Workarounds:
> > Disable the SMTP service.
> > Disable the ability of authenticated users to relay email.
> > Firewall off the SMTP service from untrusted networks.
>
> I suspect turning off NTLM authentication and allowing only Basic
> Authentication (with or without TLS),
I tried this, and it appears to be effective.
> or alternatively disabling
> null session access (details are in many MS KB) from the server
> are two possible workarounds as well. Disabling null sessions is
> one of those security features one should do when securing a
> Windows-based server anyway.
If by "disabling null sessions" you mean setting RestrictAnonymous to
1 or 2, then that is not effective. RestrictAnonymous doesn't disable
anonymous access, it just places additional restrictions on it. You
can still authenticate just fine with a null session when RA=2, and
that's all you need for relaying.
Todd
--
Todd Sabin <tas@webspan.net>
BindView RAZOR Team <tsabin@razor.bindview.com>
