Full Disclosure mailing list archives
RE: My take on the Newly discovered Exchange Fl aw
From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Tue, 18 Nov 2003 08:28:21 -0600
This is Crazy!!! I have also found that if you leave the administrator password blank someone will change your web page. Could this be related to the new Exchange guest account vulnerability???? -JP -----Original Message----- From: Lan Guy [mailto:rlanguy () hotmail com] Sent: Tuesday, November 18, 2003 3:42 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] My take on the Newly discovered Exchange Flaw Hi If someone posted this on the list, I missed it. Mail server flaw opens Exchange to spam http://news.com.com/2100-7355_3-5107904.html?tag=nefd_top Following the article through gets you some company Think Computer who claim they have found a flaw. They even wrote a 7 page white paper on the Flaw! http://www.thinkcomputer.com/corporate/news/spamserver.pdf I don't know that much about default accounts on Windows NT and Exchange 5.5, but I do know a bit about Windows 2000 AD, and Exchange 2000. What the author claims is if the guest account on the Server is active then the account can be used to send email. Now I am not disputing the logic there. If a guest account is active and it has been given an Exchange mailbox (GOK) then the account can be used to send email. Before continuing here is some important information to consider: 1. When a Server is built as a Domain Controller, the Local Accounts are deleted and only AD (Active Directory) Accounts can access the server. The Guest account is automatically disabled. 2. When a Server is built as a Domain Member, the Local Accounts remain. Those accounts and AD (Active Directory) Accounts can access the server. When a server is joins the Domain The Local Guest Account is disabled by default. 3. When Exchange 2000 is installed it does not create mailboxes by default. The mailboxes have to be created. Thus for this flaw to work on a Server with Exchange 2000, An Administrator would have had to have activated the Guest account. I have never seen such a stupid claim as needing the Guest Account active to send mail from. Lan Guy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: My take on the Newly discovered Exchange Fl aw Perrymon, Josh L. (Nov 18)