Bugtraq mailing list archives
Exchange Server 5.0 POP3 Security Hole
From: attila_b () HOTMAIL COM (Attila Bartfai)
Date: Mon, 25 Aug 1997 02:29:26 PDT
From the microsoft.public.exchange.clients newsgroup.
Exchange Server 5.0 POP3 Security Hole found. Details at http://rajiv.org/active/ Soon as a solution is found it will be posted there. ________________________________________________________________ Rajiv Pant (Betul) http://rajiv.org Philadelphia Online http://phillynews.com The Philadelphia Inquirer and Philadelphia Daily News newspapers
Details from http://rajiv.org/active 1997/Aug/20 Security Alert! MS Exchange Server 5.0 POP3 Service Password Caching Problem. We found the following problem today and Microsoft has successfully reproduced this bug and confirmed it to us as a possible bug. We will hear a final answer from them tomorrow. The bug (as an example): Create a user xyz on your NT domain with an Exchange 5.0 server with POP3 service. Set xyz's password to a1234. Things work fine so far. Now change xyz's password to b5678. You will find that POP3 mail clients can log in using either password a1234 or b5678 for user xyz. Now change the password to something else. You will find that a POP3 client (or direct telnet to port 110) will allow you to log in as xyz using any of the three passwords. They all work. The Exchange 5.0 service POP3 connector caches passwords in a non-hashing mechanism so that all the passwords remain active. (I don't know for how long.) This does not affect the new web page interface to get your mail which uses a different authentication. Nor does it affect NT logons. In non-POP3 logins, the passwords are not cached. I have successfully reproduced this problem with different NT domain policy settings as well as Exchange 5.0 settings. I have done exhaustive testing of this in different ways with varying settings. When I find a way to patch this, I'll post it here. Implications: If an undesired person finds out your mail password, changing it won't help because the POP3 service will continue to accept the old passwords as well as the new ones. Possible workaround (not tested yet): Try changing it too many times and reboot the Exchange server hoping it will clear the cache. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Exchange Server 5.0 POP3 Security Hole Attila Bartfai (Aug 25)
- <Possible follow-ups>
- Re: Exchange Server 5.0 POP3 Security Hole Aleph One (Aug 28)