Date: Thu, 06 Jun 2002 15:18:29 +0100
From: Ken Brown <k.brown@ccs.bbk.ac.uk>
To: bugtraq@securityfocus.com
Subject: Possible problems with patch MS02_025 for Exchange 2000
A Windows 2000/Exchange 2000 server is set to send all mail that it
can't resolve from it's own address books to a "smart hub".
This worked fine till
http://www.microsoft.com/technet/security/bulletin/MS02-025.asp was
installed, then failed.
Mail sent outside our organisation still goes, but mail sent to
addresses in our local domain are rejected. They should be sent to the
hub, because there are other mail users in the domain who do not use
Exchange. It worked until MS02_025 was installed, then failed, then
stared working again when the patch was backed out.
An non-deliverable report (NDR) was returned to the originator with code
5.1.1
According to
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q284204 5.1.1
can mean either "The e-mail account does not exist at the organization
this message was sent to" *or* "Also, if you configured your SMTP
contact with invalid SMTP RFC821 chars, the categorizer will reject the
delivery with this diagnostic code." It seems that the categorizer is
rejecting messages.
MS02-025 says "The patch eliminates the vulnerability by ensuring that
the Exchange 2000 Store immediately rejects messages with malformed
attributes."
On the face of it it seems that Exchange 2000 may now be rejecting valid
messages originating from users at that Exchange server.
It does not say which malformed attributes are being rejected, nor what
message is sent back to the originator of the message, nor what, if any,
notification is made to the administrators of the server. (If it is in
fact the case that the originator gets and NDR but there is no explicit
notification to the admins then that itself is a security flaw if the
message is correctly rejected because it tells the attacker what level
of security is in place but does not alert the defenders)
Ken Brown
Birkbeck College
London University
