Bugtraq mailing list archives

Re: MS Exchange Protocol Vulnerability


From: cima () BRASILIA COM BR (Fernando Cima)
Date: Thu, 30 Apr 1998 20:19:40 -0300


Dear Tim,

I've never decoded these packets too, but a possible cause is the
behavior of the gethostbyaddr() function in NT 4.0. According to the NT
Resource Kit, gethostbyaddr() uses this sequence:

 1.     Check local computer host name.
 2.     Check the HOSTS file for a matching address entry.
 3.     If a DNS server is configured, query it.
 4.     If no match is found, send a NetBIOS Adapter Status Request to the
IP address being queried, and if it responds with a list of NetBIOS
names registered for the adapter, parse it for the computer name.

My guess is that Exchange IMC is calling gethostbyaddr() to make the
reverse lookup of the incoming SMTP server. Not finding the information
in DNS, it sends out an nbt query (udp port 137) to the incoming
machine.

Maybe a bogus netbios nameserver could be used to spoof the name for the
incoming machine, but i can't see any serious security implications in
this case.

Cheers,

- Fernando Cima


----------
De: Tim Bass
Para: BUGTRAQ () NETSPACE ORG
Enviada: 30/05/98 10:17:38
Assunto: MS Exchange Protocol Vulnerability

It seems that MS Exchange (if configured incorrectly) sends netbios-ns
packet across the Internet to originating SMTP clients during SMTP
sessions.  I've seen this with a server on a very large organization
and have tested others that use MS Exchange and have found many
that are doing the exact same thing.  Here is a tcpdump snapshot
of the session (names changed, of course):

-----------------------------------------

tcpdump: listening on ppp0
17:00:57.361500 blackhole.silkroad.com.1075 >
ms-exchange-server.hugh.org.smtp:
17:00:57.371500 blackhole.silkroad.com.domain >
smtp-server.hugh.org.domain: 241
17:00:57.671500 ms-exchange-server.hugh.org.smtp >
blackhole.silkroad.com.1075:
17:00:57.671500 blackhole.silkroad.com.1075 >
ms-exchange-server.hugh.org.smtp:
17:00:57.751500 smtp-server.hugh.org.domain >
blackhole.silkroad.com.domain:
17:01:00.931500 blackhole.silkroad.com.1075 >
ms-exchange-server.hugh.org.smtp:
17:01:01.201500 ms-exchange-server.hugh.org.smtp >
blackhole.silkroad.com.1075

Note: Here is the netbio-ns packets (three to port 137 on my end)

17:01:03.181500 ms-exchange-server.hugh.org.netbios-ns >
blackhole.silkroad.com.
17:01:04.661500 ms-exchange-server.hugh.org.netbios-ns >
blackhole.silkroad.com.
17:01:06.161500 ms-exchange-server.hugh.org.netbios-ns >
blackhole.silkroad.com.
17:01:07.671500 ms-exchange-server.hugh.org.smtp >
blackhole.silkroad.com.1075:
17:01:07.671500 blackhole.silkroad.com.1075 >
ms-exchange-server.hugh.org.smtp:

Session over.

-----------------------------------------

I did not decode the packets, so I can't speak to what the MS Exchange
server is actually doing/requesting/asking, but, on the surface, this
appears to be a potential high-risk vulnerability; especially if the
server is requesting information or services that could be compromised
by setting up a bogus 137 udp service on the client side.

Perhaps we'll run sniffit on this end and see what the three udp packets
are hoping to fine.

Regards,

Insignificant Network Security Person on Vacation
Running TCPDUMP As Background Noise, Goofing Off

:



Current thread: