Portcullis Security Advisory
IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability
Update to Microsoft Security Bulletin (MS99-027):
NT Exchange Server Encapsulated SMTP Address Vulnerability.
Vulnerability discovery and development:
Thomas Liam Romanis (Security Testing Services Manager)
Geoff M Webb (Technical Manager)
James R Turner (Senior Technical Engineer)
Affected systems:
IIS 4.0
Microsoft SMTP Service
IIS 5.0
Microsoft SMTP Service
IIS 5.1
Microsoft SMTP Service not tested yet.
Details:
Laurent Frinking of Quark Deutschland GmbH originally discovered this
vulnerability. At that time the discovery concerned all versions of
Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.
Portcullis have discovered that the Microsoft SMTP Service available with
IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address
vulnerability even with anti-relaying features enabled.
This vulnerability allows hosts that are not authorized to relay e-mail via
the SMTP server to bypass the anti-relay features and send mail to foreign
domains.
Impact:
The anti-relay rules will be circumvented allowing spam and spoofed mail to
be relayed via the SMTP mail server.
Spam Mail:
If the Microsoft IIS SMTP Server is used to relay spam mail this could
result in the mail server being black holed causing disruption to the
service.
Spoofed e-mail:
As the Microsoft IIS SMTP Service is most often utilised in conjunction with
IIS for commercial use this flaw could be used in order to engineer
customers particularly because spoofed e-mail relayed in this way will show
the trusted web server in the SMTP header.
Exploit:
220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready
at
Tue, 28 May 2002 14:54:10 +0100
helo
250 test-mailer Hello [IP address of source host]
MAIL FROM: [EMAIL PROTECTED]
250 2.1.0 [EMAIL PROTECTED] OK
RCPT TO: [EMAIL PROTECTED]
550 5.7.1 Unable to relay for [EMAIL PROTECTED]
RCPT TO: [EMAIL PROTECTED]
250 2.1.5 [EMAIL PROTECTED]
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject: You are vulnerable.
Copyright © Portcullis Computer Security Limited 2002, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.
Disclaimer: The information herein contained may change without notice. Use
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's risk.
In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
John Clayton
Portcullis Computer Security Ltd.
Security Testing Services Team Leader and
Dragon IDS Technical Product Manager
www.portcullis-security.com
