Re: Microsoft Security Bulletin MS01-047

[Craig Boston <craig () wmhza gank org>]

On Thu, 6 Sep 2001 19:54:58 -0500 H D Moore <hdm () secureaustin com> wrote:

> I thought this was a feature ;)
>
> To dump the complete GAL:
> http://exchangesvr/exchange/finduser/fumsg.asp

I tried this on my 5.5 SP4 server with OWA.  I replaced http with https as
I have IIS configured to only allow encrypted access to the /exchange tree
and got redirected back to the logon screen since I didn't have a session cookie.

> If you get redirected back to the logon page immediately, it means that you 
> must establish a session with your browser first.  To do that, just browse to:
>
> http://exchangesvr/exchange/LogonFrm.asp?mailbox=&isnewwindow=0

This request gets me a blank page with a javascript popup saying "This page
has been disabled, please see your administrator."  I got an ASPSESSIONID
cookie, however the first URL still redirects me back to the logon page.  I
encountered similar results with Aviram Jenik's method.

My guess is this is because I have disabled anonymous access to public
folders.  I'm not 100% sure but it would appear at first glance that this
provides some protection against the GAL enumeration exploit.

Exchange Administrator, Site/Configuration/Protocols/HTTP and uncheck both
boxes about anonymous access.  Probably a good idea anyway if you have no
public folders that need to be accessed anonymously.

--
Craig Boston, CCNA
Network Administrator
Owen Oil Tools, Inc.