lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: My take on the Newly discovered Exchange Fl
	aw

This is Crazy!!!

I have also found that if you leave the administrator password blank someone
will change your web page. Could this be 
related to the new Exchange guest account vulnerability????

-JP

-----Original Message-----
From: Lan Guy [mailto:rlanguy@...mail.com]
Sent: Tuesday, November 18, 2003 3:42 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] My take on the Newly discovered Exchange Flaw


Hi

If someone posted this on the list, I missed it.

Mail server flaw opens Exchange to spam
http://news.com.com/2100-7355_3-5107904.html?tag=nefd_top

Following the article through gets you some company Think Computer who claim
they have found a flaw.
They even wrote a 7 page white paper on the Flaw!
http://www.thinkcomputer.com/corporate/news/spamserver.pdf

I don't know that much about default accounts on Windows NT and Exchange
5.5, but I do know a bit about Windows 2000 AD, and Exchange 2000.

What the author claims is if the guest account on the Server is active then
the account can be used to send email.
Now I am not disputing the logic there. If a guest account is active and it
has been given an Exchange mailbox (GOK) then the account can be used to
send email.

Before continuing here is some important information to consider:
1. When a Server is built as a Domain Controller, the Local Accounts are
deleted and only AD (Active Directory) Accounts can access the server.
The Guest account is automatically disabled.

2. When a Server is built as a Domain Member, the Local Accounts remain.
Those accounts and AD (Active Directory) Accounts can access the server.
When a server is joins the Domain The Local Guest Account is disabled by
default.

3. When Exchange 2000 is installed it does not create mailboxes by default.
The mailboxes have to be created.


Thus for this flaw to work on a Server with Exchange 2000, An Administrator
would have had to have activated the Guest account.

I have never seen such a stupid claim as needing the Guest Account active to
send mail from.

Lan Guy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ