[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A01B2A4BD@is6b>
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: My take on the Newly discovered Exchange Fl
aw
This is Crazy!!!
I have also found that if you leave the administrator password blank someone
will change your web page. Could this be
related to the new Exchange guest account vulnerability????
-JP
-----Original Message-----
From: Lan Guy [mailto:rlanguy@...mail.com]
Sent: Tuesday, November 18, 2003 3:42 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] My take on the Newly discovered Exchange Flaw
Hi
If someone posted this on the list, I missed it.
Mail server flaw opens Exchange to spam
http://news.com.com/2100-7355_3-5107904.html?tag=nefd_top
Following the article through gets you some company Think Computer who claim
they have found a flaw.
They even wrote a 7 page white paper on the Flaw!
http://www.thinkcomputer.com/corporate/news/spamserver.pdf
I don't know that much about default accounts on Windows NT and Exchange
5.5, but I do know a bit about Windows 2000 AD, and Exchange 2000.
What the author claims is if the guest account on the Server is active then
the account can be used to send email.
Now I am not disputing the logic there. If a guest account is active and it
has been given an Exchange mailbox (GOK) then the account can be used to
send email.
Before continuing here is some important information to consider:
1. When a Server is built as a Domain Controller, the Local Accounts are
deleted and only AD (Active Directory) Accounts can access the server.
The Guest account is automatically disabled.
2. When a Server is built as a Domain Member, the Local Accounts remain.
Those accounts and AD (Active Directory) Accounts can access the server.
When a server is joins the Domain The Local Guest Account is disabled by
default.
3. When Exchange 2000 is installed it does not create mailboxes by default.
The mailboxes have to be created.
Thus for this flaw to work on a Server with Exchange 2000, An Administrator
would have had to have activated the Guest account.
I have never seen such a stupid claim as needing the Guest Account active to
send mail from.
Lan Guy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists