MS Exchange Protocol Vulnerability

[bass () CHELE CAIS COM (Tim Bass)]

It seems that MS Exchange (if configured incorrectly) sends netbios-ns
packet across the Internet to originating SMTP clients during SMTP
sessions.  I've seen this with a server on a very large organization
and have tested others that use MS Exchange and have found many
that are doing the exact same thing.  Here is a tcpdump snapshot
of the session (names changed, of course):

-----------------------------------------

tcpdump: listening on ppp0
17:00:57.361500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:
17:00:57.371500 blackhole.silkroad.com.domain > smtp-server.hugh.org.domain: 241
17:00:57.671500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075:
17:00:57.671500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:
17:00:57.751500 smtp-server.hugh.org.domain > blackhole.silkroad.com.domain:
17:01:00.931500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:
17:01:01.201500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075

Note: Here is the netbio-ns packets (three to port 137 on my end)

17:01:03.181500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com.
17:01:04.661500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com.
17:01:06.161500 ms-exchange-server.hugh.org.netbios-ns > blackhole.silkroad.com.
17:01:07.671500 ms-exchange-server.hugh.org.smtp > blackhole.silkroad.com.1075:
17:01:07.671500 blackhole.silkroad.com.1075 > ms-exchange-server.hugh.org.smtp:

Session over.

-----------------------------------------

I did not decode the packets, so I can't speak to what the MS Exchange
server is actually doing/requesting/asking, but, on the surface, this
appears to be a potential high-risk vulnerability; especially if the
server is requesting information or services that could be compromised
by setting up a bogus 137 udp service on the client side.

Perhaps we'll run sniffit on this end and see what the three udp packets
are hoping to fine.

Regards,

Insignificant Network Security Person on Vacation
Running TCPDUMP As Background Noise, Goofing Off

: