Exchange Server 5.0 POP3 Security Hole

Attila Bartfai (attila_b@HOTMAIL.COM)
Mon, 25 Aug 1997 02:29:26 -0700 (PDT)

>From the microsoft.public.exchange.clients newsgroup.

>Exchange Server 5.0 POP3 Security Hole found.
>Details at http://rajiv.org/active/
>Soon as a solution is found it will be posted there.
>________________________________________________________________
>Rajiv Pant (Betul) http://rajiv.org
>Philadelphia Online http://phillynews.com
>The Philadelphia Inquirer and Philadelphia Daily News newspapers

Details from http://rajiv.org/active

1997/Aug/20 Security Alert! MS Exchange Server 5.0 POP3 Service Password
Caching Problem. We found the following problem today and Microsoft has
successfully reproduced this bug and confirmed it to us as a possible
bug. We will hear a final answer from them tomorrow. The bug (as an
example): Create a user xyz on your NT domain with an Exchange 5.0
server with POP3 service. Set xyz's password to a1234. Things work fine
so far. Now change xyz's password to b5678. You will find that POP3 mail
clients can log in using either password a1234 or b5678 for user xyz.
Now change the password to something else. You will find that a POP3
client (or direct telnet to port 110) will allow you to log in as xyz
using any of the three passwords. They all work. The Exchange 5.0
service POP3 connector caches passwords in a non-hashing mechanism so
that all the passwords remain active. (I don't know for how long.) This
does not affect the new web page interface to get your mail which uses a
different authentication. Nor does it affect NT logons. In non-POP3
logins, the passwords are not cached. I have successfully reproduced
this problem with different NT domain policy settings as well as
Exchange 5.0 settings. I have done exhaustive testing of this in
different ways with varying settings. When I find a way to patch this,
I'll post it here. Implications: If an undesired person finds out your
mail password, changing it won't help because the POP3 service will
continue to accept the old passwords as well as the new ones. Possible
workaround (not tested yet): Try changing it too many times and reboot
the Exchange server hoping it will clear the cache.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com