Microsoft Security Bulletin MS02-011

Authentication Flaw Could Allow Unauthorized Users To
Authenticate To SMTP Service
Originally posted: February 27, 2002

Summary
Who should read this bulletin: Customers using Microsoft®
Windows® 2000 or Exchange® Server 5.5

Impact of vulnerability: Mail relaying.

Maximum Severity Rating: Low

Recommendation: Customers who need the Windows 2000 SMTP
services should apply the Windows patch; all others should disable
the SMTP service. Customers using the Exchange Server 5.5 IMC
should apply the Exchange Server 5.5 IMC patch.

Affected Software:

Microsoft Windows 2000
Microsoft Exchange Server 5.5

 Technical details
Technical description:

An SMTP service installs by default as part of Windows 2000
server products and as part of the Internet Mail Connector (IMC) for
Microsoft Exchange Server 5.5. (The IMC, also known as the
Microsoft
Exchange Internet Mail Service, provides access and message
exchange to
and from any system that uses SMTP). A vulnerability results in
both
services because of a flaw in the way they handle a valid response
from
the NTLM authentication layer of the underlying operating system.

By design, the Windows 2000 SMTP service and the Exchange
Server 5.5 IMC, upon receiving notification from the NTLM
authentication layer that a user has been authenticated, should
perform additional checks before granting the user access to the
service. The vulnerability results because the affected services
don't perform this additional checking correctly. In some cases,
this could result in the SMTP service granting access to a user
solely on the basis of their ability to successfully authenticate to
the
server.

An attacker who exploited the vulnerability could gain only user-
level privileges on the SMTP service, thereby enabling the attacker
to use the service but not to administer it. The most likely purpose
in
exploiting the vulnerability would be to perform mail relaying via the
server.

Mitigating factors:

Exchange 2000 servers are not affected by the vulnerability
because they correctly handle the authentication process to the
SMTP service.
The vulnerability would not enable the attacker to read other users’
email, nor to send mail as other users. Best practices recommend
disabling
unneeded services. If the SMTP service has been disabled, the mail
relaying vulnerability could not be exploited. The vulnerability would
not
grant administrative privileges to the service, nor would it grant the
attacker the ability to run programs or operating system
commands.
Severity Rating: Low Internet Servers Intranet Servers Client
Systems
Windows 2000 Low Low Low Microsoft Exchange 5.5 Low Low
None The above
assessment is based on the types of systems affected by the
vulnerability,
their typical deployment patterns, and the effect that exploiting the
vulnerability would have on them. An attacker could only relay mail
and
would not be able to read mail, gain system privileges or run
programs.

Vulnerability identifier: CAN-2002-0054

Tested Versions:
Microsoft tested Windows 2000, Windows NT® 4.0, Exchange
Server 5.5 and Exchange Server 2000 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer
supported, and may or may not be affected by these vulnerabilities.

 Frequently asked questions
What’s the scope of the vulnerability?

This vulnerability could enable an unauthorized user to consume
resources of a mail server without authorization. This could enable
an attacker to disguise the origination point of a mail, or co-opt a
server’s resources for mass mailings.

This vulnerability is subject to constraints:

It would only affect servers running the Exchange Server 5.5
Internet Mail Connector service or the native Windows 2000 SMTP
service.
It would not grant administrative privileges to the service, nor would
it
grant the attacker the ability to run programs or operating system
commands. Mail servers running Exchange 2000 are not be
affected by this
vulnerability.

What causes the vulnerability?

The vulnerability results because of an authentication error affecting
both the SMTP service in Windows 2000 and the Exchange Server
5.5 Internet
Mail Connector. Both of these services should perform additional
checking
before granting mail privileges to a user who has authenticated to
the
server; however, they do not do so correctly.

What is SMTP?

SMTP (Simple Mail Transfer Protocol) is an industry standard for
delivery of mail via the Internet, defined in RFCs 2821 and 2822 .
The protocol defines the format of mail messages, the fields in
them and their contents, and the handling procedures for mails. An
SMTP service is provided with Windows 2000 and installs by
default on server products.

What is the Exchange 5.5 Internet Mail Connector?

The Internet Mail Connector (IMC) is the component in Exchange
Server 5.5 that allows mail to be sent to and received from other
servers that use SMTP. It installs by default as part of Exchange
Server 5.5, and is also sometimes referred to as the Exchange
Server 5.5 Internet Mail Service.

What's wrong with the Windows 2000 SMTP service and the
Exchange Server 5.5 IMC?

Before a user can make use of a mail service, they first must
authenticate to the server. But even if this is done successfully, the
mail services themselves should perform additional checking to
ensure that
it's appropriate to let the user access them. Neither the Windows
2000
SMTP service nor the Exchange Server 5.5 IMC perform this
additional
checking correctly. The result is that a user who could successfully
authenticate to the server would always have the ability to use the
mail
services, even if it's not appropriate.

What would this enable the attacker to do?

The vulnerability would enable an attacker to levy mail requests as
an authorized user. That is, it would enable the attacker to send
mail. The most likely use of this vulnerability would be in performing
mail relaying.

What’s mail relaying?

Mail relaying is a practice in which e-mail is routed to an
intermediate mail server, which then delivers it to the recipient's
mail server. Mail relaying is often a legitimate practice. For
example, suppose a company with several servers has designated
one of them as a mail gateway to the Internet. Any e-mail sent to
the company would arrive at the gateway server, and then be
relayed to the appropriate server for delivery to the recipient.

However, malicious users also sometimes try to perform
unauthorized mail relaying. For example, a spammer who has a
low-end server and a slow network connection might use mail
relaying in order to get someone else's higher-powered mail server
and fast network connection to send spam on their behalf. Mail
relaying also has been misused to disguise the point of origination
for an email.

Would the vulnerability allow the attacker to take any other actions
on
the server?

The vulnerability would only confer user-level privileges on the
SMTP service to the attacker – it would not grant administrative
privileges to the service, nor would it grant the attacker the ability to
run programs or operating system commands, nor would it allow
the attacker
to read, create, or send other users' mail.

Does this affect all Windows 2000 servers?

A Windows 2000 server would only be affected by it if the SMTP
service is installed and running. This is the default configuration;
however Microsoft always recommends reviewing the list of
services and
disabling any that aren't needed.

Does the vulnerability affect the SMTP service in Windows NT 4.0?

No. Only the SMTP services that ship with Windows 2000 or the
Exchange Server 5.5 IMC are affected.

Does this vulnerability affect Windows XP Professional?

Windows XP Professional was tested and is not affected by this
vulnerability.

I'm running Exchange Server 5.5 on a Windows 2000 system.
Should I apply the Windows 2000 patch or the Exchange Server
5.5. patch?

Administrators of Exchange 5.5 only need apply the latest IMC
patch described below. It is not necessary to apply the Windows
2000 patch.

I'm running Exchange Server 2000. Do I need a patch?

No. Even though Exchange Server 2000 can be installed on a
Windows 2000 server (and indeed, it is the only system it can be
installed on), Exchange Server 2000 is not affected by this
vulnerability. Exchange Server 2000 installs components that
perform the additional checking correctly.

What does the patch do?

The patch eliminates the vulnerability by ensuring that the SMTP
service properly authenticates users before allowing them to levy
requests on it.

Patch availability
Download locations for this patch
Microsoft Windows 2000 Server, Professional and Advanced
Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=
36556
Exchange Server 5.5:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3342
3
Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific
and available from the original equipment manufacturer.

 Additional information about this patch
Installation platforms:
The Windows 2000 patch can be installed on systems running
Windows 2000 Service Pack 2
The Exchange Server 5.5 patch can be installed on systems
running Exchange Server 5.5 Service Pack 4
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 SP3. At this
time
there are no plans for another Exchange Server 5.5 service pack.

Reboot needed: Yes

Superseded patches: None.

Superceding patches: The patch for MS02-012 contains this fix for
Windows 2000.

Verifying patch installation:

Exchange Server 5.5:

To verify that the patch has been installed on the machine, confirm
that the following registry key has been created on the Exchange
Server 5.5 machine:
HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange
5.5\SP5\Q289258.
To verify the individual files, use the date/time and version
information provided in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange
5.5\SP5\Q289258\filelist.
Windows 2000:

To verify that the patch has been installed on the machine, confirm
that the following registry key has been created on the Windows
2000 machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window
s 2000\SP3\Q313450.
To verify the individual files, use the date/time and version
information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window
s 2000\SP3\Q313450\Filelist.
Caveats:
None

Localization:
Localized versions of this patch are available at the locations
discussed in "Patch Availability".

Obtaining other security patches:
Patches for other security issues are available from the following
locations:

Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
Patches for consumer platforms are available from the
WindowsUpdate web site
All patches available via WindowsUpdate also are available in a
redistributable form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks BindView's RAZOR Team for reporting this issue
to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article Q313450 and Q289258
discusses this issue and will be available approximately 24 hours
after the release of this bulletin. Knowledge Base articles can be
found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with
security patches.
Security Resources: The Microsoft TechNet Security Web Site
provides additional information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is
provided "as is" without warranty of any kind. Microsoft disclaims
all warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Microsoft Corporation
or its
suppliers have been advised of the possibility of such damages.
Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not
apply.

Revisions:

V1.0 (February 27, 2002): Bulletin Created.

_____________________________________________________________________
** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!

** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]