lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: DARREN.L.BENNETT at saic.com (Darren Bennett)
Subject: IIS/Outlook Web Access..

Jason,

	It appears your observations are correct. I have not verified that the
problem occurs with only user accounts (I don't want to continue to
break our server in order to do bug testing for Microsoft).
Additionally, the DOS is obvious.. if it can be exploited to more is not
(I have no idea). As Dallas said in her response, while upgrading may
seem like a good idea (to exchange 2k+), we too will be using outlook
2003 before upgrading exchange (exchange upgrades in large corporate
environments are a nighmare..)

	-Darren

On Mon, 2003-07-21 at 20:45, Jason wrote:
> This being full disclosure and all...
> 
> I am interested in what exactly Outlook 2003 does that causes IIS so 
> much issue? My gutt answers in ( )s.
> 
> Can this be replicated without Outlook 2003? ( probably )
> Can this be done with or without a user account? ( users only )
> Is this only a DOS for servers with OWA running? ( probably )
> Is it just a DOS or a lurking exploitable condition? ( DOS )
> Is it a persistent DOS against IIS and OWA or does a restart resolve it? 
> ( restart )
> Is it reliably reproducible or dependent on an obscure configuration 
> option? ( reliable )
> 
> If you can provide these details then I think the list would be 
> interested. Otherwise you may be better off going to one of the more 
> Exchange / MS focused lists for bug sympathy/help.
> 
> 
> LaRose, Dallas wrote:
> 
> >-----Original Message-----
> >From: Christopher F. Herot [mailto:cherot@...liedmessaging.com] 
> >Maybe you should upgrade from Exchange 5.5 to 2000.  We have had people
> >using Outlook 2003 client and OWA with Exchange 2000 for several months
> >without incident.
> >
> >==========
> >
> >Although I'll recognize that an upgrade to E2K is prudent and may resolve
> >the issue, a problem in a product that is still in use should be recognized
> >and documented.
> >
> >Although my company is interested in upgrading to both Outlook 2003 and
> >Exchange 2K+, the upgrade to Outlook 2003 will likely come first due to
> >complexities in the Exchange upgrade.  I think it's fair to test the
> >combination of Outlook 2003 and Exchange 5.5 OWA, and I'm interested to know
> >the results.
> >
> >Does Microsoft have a Q article that acknowledges the issue?
> >
> >Dallas LaRose
> >Senior Network Engineer
> >S2 Systems, Inc.
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >  
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
-----------------------------------------------
Darren Bennett 
CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I
Sr. Systems Administrator/Manager
Science Applications International Corporation
Advanced Systems Development and Integration
-----------------------------------------------


Powered by blists - more mailing lists