lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <C43C67433DD2F541A43E41F80716E09A021D2F47@integrity.gbs.tamu.edu>
From: ajalal at bushschool.tamu.edu (Jalal, Ahmed)
Subject: smtpsvc and undocumented registry values


I came across such a trick in an Exchange book.  Basically you go into IIS
6.0 Metabase Explorer utility and locate the SMTP virtual server you want to
change (\lm\Smtpsvc\1). Then you highlight the "1" folder and click edit,
new, String Record and give it a value of 36907.  After creating that, you
highlight the newly created record, double click on it and enter the new
banner information.  Then restart the SMTP virtual server.

I have never tried it, just read it.


 


-----Original Message-----
From: Thierry Haven [mailto:thierry.haven@...opartners.com] 
Sent: Wednesday, February 23, 2005 11:27 AM
To: Thierry Haven
Cc: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] smtpsvc and undocumented registry values

Hi,
I've been hacking around smtpsvc.dll (Windows Server 2003) in order to hide
the Server version when a mail is relayed:

Original header:
"from [192.168.X.X] ([192.168.X.X]) by winserv2003 with Microsoft
SMTPSVC(6.0.3790.0);	 Wed, 23 Feb 2005 15:47:51 +0100" 


I found that it is possible to remove this information by patching the code
directly in the DLL:

Modified header:
"from [192.168.X.X] ([192.168.X.X]) by winserv2003 with some server;
Wed, 23 Feb 2005 15:49:51 +0100" 

... Assuming that smtpsvc.dll checks its own version at runtime by
retrieving information in the .rsrc section of the PE thanks to version.dll
calls. However I'd like to know if there is a better way to disable this
"feature" (maybe a key in the registry ?). 


Next I'd like to ask about such undocumented registry values. Where to find
information about them ?


Best Regards,

_______________________________________
Thierry Haven - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ