BindView Security Advisory -------- IIS SMTP component allows mail relaying via Null Session Issue Date: March 1, 2002 Contact: tsabin@razor.bindview.com Topic: The SMTP component that comes with IIS can be used by anyone for relaying email. Overview: IIS comes with a small SMTP component. The default settings allow anyone who can authenticate to it to relay email. Because the authentication system supports NTLM, it is possible for anyone to authenticate using null session credentials, and then relay email. Affected Systems: IIS 5 servers with the the SMTP component enabled. IIS 4 was not tested. Impact: The vulnerability would likely be exploited by spammers to misappropriate bandwidth and CPU time. There does not appear to be any way of using this vulnerability to run arbitrary code or otherwise gain access to the vulnerable system. Details: The SMTP component supports the SMTP AUTH command, and allows NTLM as an option within that. This is intended to be used by normal users to authenticate themselves via an NTLM challenge-response. However, because NTLM supports using null session credentials, an anonymous user can use this mechanism to 'authenticate'. Once that is accomplished, the SMTP service will relay email. A sample transcript follows. The initial failure is not necessary; it is simply to illustrate that relay requires authentication: (Release of the actual authentication data is being delayed in accordance with draft-christey-wysopal-vuln-disclosure-00.txt) % telnet 192.168.8.129 25 Trying 192.168.8.129... Connected to 192.168.8.129. Escape character is '^]'. 220 w2ks.w2kvm.qnz.org Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at Wed, 29 Aug 2001 11:52:15 -0400 HELO foo 250 w2ks.w2kvm.qnz.org Hello [192.168.8.1] MAIL From:<> 250 2.1.0 <>....Sender OK RCPT To:<secure@microsoft.com> 550 5.7.1 Unable to relay for secure@microsoft.com AUTH NTLM <etc, etc> 334 <etc, etc> <etc, etc> 235 2.7.0 Authentication successfull MAIL From:<> 503 5.5.2 Sender already specified RCPT To:<secure@microsoft.com> 250 2.1.5 secure@microsoft.com DATA 354 Start mail input; end with <CRLF>.<CRLF> Subject: your SMTP server supports null sessions yada yada yada . 250 2.6.0 <W2KShlQ6QpPpSML5liF00000001@w2ks.w2kvm.qnz.org> Queued mail for delivery QUIT 221 2.0.0 w2ks.w2kvm.qnz.org Service closing transmission channel Connection closed by foreign host. Workarounds: Disable the SMTP service. Disable the ability of authenticated users to relay email. Firewall off the SMTP service from untrusted networks. Recommendations: Disable the SMTP service, if not needed. Install the patch from Microsoft References: Microsoft's security bulletin: http://www.microsoft.com/technet/security/bulletin/MS02-011.asp Microsoft's Hotfix: Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36556 (the download page mentions ms02-012, but the patch also covers ms02-011) Exchange 5.5: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423 Microsoft's Knowledge Base article: http://www.microsoft.com/technet/support/kb.asp?ID=310669
