COMMAND
MS Exchange
SYSTEMS AFFECTED
WinNT with MSES 5.5
PROBLEM
Following is based on Microsoft Security Bulletin and it was
found by Laurent Frinking. Exchange Server implements features
designed to defeat "mail relaying", a practice in which an
attacker causes an e-mail server to forward mail from the
attacker, as though the server were the sender of the mail.
However, a vulnerability exists in this feature, and could allow
an attacker to circumvent the anti-relaying features in an
Internet-connected Exchange Server. The vulnerability lies in
the way that site-to-site relaying is performed via SMTP.
Encapsulated SMTP addresses could be used to send mail to any
desired e-mail address. The patch eliminates the vulnerability
by making encapsulated SMTP addresses subject to the same
anti-relay protections as non-encapsulated SMTP addresses.
According to Laurent Frinking all versions of MS Exchange may
have (to my humble knowledge) the following bug. Anybody can use
an Exchange server as relay, no matter if they have anti-relay
functions enabled or not. By using encapsulation you can bypass
the anti-relay checking of Exchange: Simply write an email in
the following form: use this as a To:
<IMCEASMTP-user+40destinationdomain+2Ecom@domain-you-wish-to-use-as-relay.com>
Of course the From: must have a valid domainname but that is not
the issue here. The Exchange server will accept the mail because
it was addressed to the correct domain. Then it will decapsulate
the address and send the email to the finale recipient:
<user@destinationdomain.com> without checking if it is being
relayed or not!
The special email-address format looks like this:
- It starts with "IMCEASMTP-" telling the Exchange that this
is a encapsulated
- SMTP address.
- +40 represents a "@"
- +2E represents a "."
SOLUTION
Patch availability:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/imc-fix