-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Authentication Flaw Could Allow Unauthorized Users To
            Authenticate To SMTP Service
Date:       27 February 2002
Software:   Microsoft Windows 2000; Microsoft Exchange Server 5.5
Impact:     Mail Relaying
Max Risk:   Low
Bulletin:   MS02-011

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp.
- ----------------------------------------------------------------------

Issue:
======
An SMTP service installs by default as part of Windows 2000 server
products and as part of the Internet Mail Connector (IMC) for
Microsoft Exchange Server 5.5. (The IMC, also known as the
Microsoft Exchange Internet Mail Service, provides access and
message exchange to and from any system that uses SMTP). A
vulnerability results in both services because of a flaw in the
way they handle a valid response from the NTLM authentication
layer of the underlying operating system. 

By design, the Windows 2000 SMTP service and the
Exchange Server 5.5 IMC, upon receiving notification from
the NTLM authentication layer that a user has been authenticated,
should perform additional checks before granting the user access
to the service. The vulnerability results because the affected
services don't perform this additional checking correctly. In
some cases, this could result in the SMTP service granting access
to a user solely on the basis of their ability to successfully
authenticate to the server. 

An attacker who exploited the vulnerability could gain only
user-level privileges on the SMTP service, thereby enabling the
attacker to use the service but not to administer it. The most
likely purpose in exploiting the vulnerability would be to
perform mail relaying via the server.

Mitigating Factors:
====================
 - Exchange 2000 servers are not affected by the vulnerability
   because they correctly handle the authentication process to the
   SMTP service. 

 - The vulnerability would not enable the attacker to read other
   users' email, nor to send mail as other users. 

 - Best practices recommend disabling unneeded services. If the
   SMTP service has been disabled, the mail relaying vulnerability
   could not be exploited. 

 - The vulnerability would not grant administrative privileges to
   the service, nor would it grant the attacker the ability to run
   programs or operating system commands.

Risk Rating:
============
 - Internet systems: Low
 - Intranet systems: Low
 - Client systems: Low

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-011.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - BindView's RAZOR Team (http://razor.bindview.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPH2VYI0ZSRQxA/UrAQFMsgf/ZoP5yg1R1qEQTDWhSJo07zG8Yg9fhKxt
UEWddDF4x+M8Mr7YQnYX+LMRjh35ptwbixIG/qrmr0AiaxwdrXFI2zI88FhN0WSa
nioVlHom2Q4hOOhK3lf7aLobo5I9qnEs9+ioOUIQtxzsMdl9CbyV8mhNfq8xPLqe
Sq7W26hNtz6IrHAS+AB4ccq8a9xmp5LQOUvAeKCmuMElX4IMjJkLGp0jhUTpHyoF
2RAqvrTriCmM33GMohQ1sR1YAhca5NqsK8p8Cw0iVLNzeIqIpKLhDjGdxHVBKxut
jAQGst+rQTeLhMr0YIXZ6E8QXckSuft+22PKxG0HBcpCm0c5e55dog==
=9GZH
-----END PGP SIGNATURE-----