Microsoft KB Archive/310669

= MS02-011: An authentication flaw could allow unauthorized users to be authenticated on the SMTP service =

Article ID: 310669

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Exchange Server 5.5 Service Pack 1
 * Microsoft Exchange Server 5.5 Service Pack 2
 * Microsoft Exchange Server 5.5 Service Pack 3
 * Microsoft Exchange Server 5.5 Service Pack 4
 * Microsoft Windows NT version 4.0 Option Pack

-



This article was previously published under Q310669



SYMPTOMS
A vulnerability exists in the Simple Mail Transfer Protocol (SMTP) service that is included with Windows 2000, the Windows NT 4.0 Option Pack, and Exchange Server 5.5.

Note The SMTP service included in the Windows NT 4.0 Option Pack is the same service that is used by Microsoft Commercial Internet Server (MCIS). The MCIS product is no longer supported. Microsoft cannot offer support for issues pursuant to application of this fix to an MCIS installation.

This vulnerability could allow an unauthorized user to consume resources (such as by relaying mail) without authorization. This vulnerability could allow an attacker to disguise the origination point of an e-mail message or to co-opt a server's resources for mass mailings.

This vulnerability does not apply to Exchange Server 5.0 because Exchange Server 5.0 cannot allow or deny relay based on authentication. A workaround for Exchange Server 5.0 is provided in the &quot;Workaround&quot; section of this article.

This vulnerability is subject to the following constraints:
 * The vulnerability does not grant administrative permissions to the service, nor does it grant the attacker the ability to run programs or operating system commands.
 * Mail servers that run Microsoft Exchange 2000 Server are not affected by this vulnerability.

An SMTP service is included with Windows 2000 and is installed by default. Exchange 2000 Server extends the Windows 2000 SMTP service, but the component that performs authentication is different from the base SMTP service in Windows 2000 and is not affected by the vulnerability.



CAUSE
This vulnerability occurs because of an authentication error in the SMTP service that is installed as part of the Windows NT 4.0 Option Pack, the Microsoft Internet Information Services (IIS) in Windows 2000, or the Internet Mail Connector (IMC) in Exchange Server 5.5. An unauthorized user could be authenticated and to use the server for relaying mail.



RESOLUTION

 * Windows 2000
 * Exchange Server 5.5
 * Windows NT 4.0 Option Pack

Windows 2000
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The following file is available for download from the Microsoft Download Center:

Download Q313450_w2k_sp3_x86_en.exe now

Release Date: February 27, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note This update also corrects the vulnerability that is described in the following Microsoft Knowledge Base article:

313450 MS02-012: A Malformed Data Transfer Request May Cause the Windows SMTP Service to Stop Working

The English version of this hotfix should have the following file attributes or later:   Date         Time   Version        Size     File name 05-Feb-2002 11:05  5.0.2195.4624  321,296  Aqueue.dll 05-Feb-2002 11:05  5.0.2195.4777  333,072  Asp.dll 05-Feb-2002 11:05  5.0.2195.3649  299,792  Fscfg.dll 05-Feb-2002 11:05  5.0.2195.4624    8,464  Ftpctrs2.dll 05-Feb-2002 11:05  5.0.2195.4624    6,416  Ftpmib.dll 05-Feb-2002 11:05  5.0.2195.4624    9,488  Httpmib.dll 05-Feb-2002 11:05  5.0.2195.4624   13,584  Infoadmn.dll 05-Feb-2002 11:05  5.0.2195.4624  246,032  Infocomm.dll 05-Feb-2002 11:05  5.0.2195.4624   62,736  Isatq.dll 05-Feb-2002 11:05  5.0.2195.4624   66,832  Mailmsg.dll 05-Feb-2002 11:05  5.0.2195.4624   38,160  Ntfsdrv.dll 04-Feb-2002 16:29  5.0.2195.4905  438,544  Smtpsvc.dll 05-Feb-2002 11:05  5.0.2195.4624    7,440  W3ctrs.dll Note Because of file dependencies, this update requires Windows 2000 Service Pack 2.

Exchange Server 5.5
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note This update also corrects the problems that are described in the following Microsoft Knowledge Base article:

289258 XGEN: Exchange Server 5.5 Post-Service Pack 4 Internet Mail Service fixes available

The English version of this hotfix should have the following file attributes or later.

For the SMTP service component:   File name     Version -  Imcmsg.dll    5.5.2655.55 Msexcimc.exe 5.5.2655.55 Note Because of file dependencies, this hotfix requires Exchange Server 5.5 Service Pack 4.

Windows NT 4.0 Option Pack
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The following file is available for download from the Microsoft Download Center:

Download WindowsNT4OptionPack-KB310669-x86-enu.exe now

Release Date: April 13, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note This update also corrects the vulnerability that is described in the following Microsoft Knowledge Base article:

313450 MS02-012: A malformed data transfer request may cause the Windows SMTP service to stop working

The English version of this hotfix should have the following file attributes or later.

For the SMTP service component:   File name     Version -  Smtpsvc.dll   5.5.1877.78

Note Because of file dependencies, this hotfix requires Windows NT 4.0 Service Pack 6a.

Note Microsoft also recommends that you install all subsequent critical fixes for Windows NT 4.0 before you apply this SMTP fix.



Exchange Server 5.0 Workaround
Exchange 5.0 does not have relay filtering capabilities. To turn off mail relay in Exchange 5.0, you must turn on or turn off SMTP globally for all connections, authenticated or unauthenticated.

In Exchange 5.5, new functionality was added to turn on SMTP routing for authenticated connections only. This new capability had the effect of turning on SMTP routing for authenticated users and turning it off for everyone else.

Microsoft recommends that you do not connect an Exchange 5.0 Internet Mail Connector directly to the Internet unless you turn off SMTP routing. If you do not follow this recommendation, it is likely that your Exchange 5.0 Internet Mail Connector server will soon be discovered to be an open relay. This means it may be used by spammers (that is, people who send junk e-mail messages) to send messages. Your SMTP domain may also be added to block lists. This would prevent your domain from communicating with most other mail servers on the Internet.

To turn off SMTP routing, use Exchange Administrator. Double-click the Internet Mail Connection object, click the Routing tab, and then click Do not re-route incoming SMTP mail. This configuration change will not take effect until the Internet Mail Service is restarted.

If you turn off SMTP routing, clients who connect to your Exchange server through the POP3 protocol cannot send e-mail messages except to other users in your own SMTP domain. This includes all Outlook Express clients. Clients who use the MAPI protocol (Outlook users) are not affected.



Windows 2000
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Windows 2000.

Exchange 5.5
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Exchange Server version 5.5.

Windows NT 4.0 Option Pack
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows NT 4.0 Option Pack SMTP service.



For additional information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-011.mspx

Additional query words: security_patch

Keywords: kbbug kbfix kbwin2000presp3fix kbsecvulnerability kbqfe kbwin2000sp3fix kbsecurity kbexchange550presp5fix kbsecbulletin kbsechack kbhotfixserver KB310669

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.