News

Default Vulnerability Discovered in W2K SMTP Service

• By Scott Bekker
• 07/06/2001

SMTP is installed by default along with IIS 5.0 on Windows 2000 Server systems. SMTP can be installed on Windows 2000 Professional systems, as well.

Several recent Windows 2000-related exploits have been characterized by scenarios in which an attacker could gain system- or administrative-level access to a compromised system, which effectively handed her complete control of a server. In last night's security bulletin, Microsoft stressed that while the new vulnerability can give attackers user-level privileges on the exploited SMTP service itself, the overall security of a Windows 2000 system is not compromised.

But according to Edward Ko, a network coordinator with the Pennsylvania State University, an attacker who successfully exploits an SMTP-related vulnerability of this kind isn't primarily interested in gaining administrative control over a system.

"If you have user-level [privileges] on the SMTP service, you've got carte blanche to send as much spam as you want," he says. "This is just the thing that spammers or bulk mailers are always looking for.

Microsoft's security bulletin indicates that the new vulnerability is enabled by virtue of a flaw in the SMTP service's authentication process that could allow an unauthorized user to successfully authenticate – even with improper credentials. Microsoft did not disclose how such an attack could be perpetrated.

The software giant also claims that Exchange 5.5 or Exchange 2000 Servers running on Windows 2000 are unaffected by the latest vulnerability. For the record, Microsoft's own security hardening guidelines recommend against installing the SMTP service unless it's required.

As has been the case with quite a few Windows 2000-related security issues, this latest vulnerability affects a software component that is installed by default with the operating system itself. In the past, some IT organizations were placed at risk because they'd deployed Windows 2000 with its default options enabled and consequently weren't aware that vulnerable components or services were running in their environments. But as PSU's Ko points out, IT organizations that unintentionally installed the SMTP service when they accepted Windows 2000's default installation options have actually been at risk all along.

"This is something that a lot of people always missed when they just accepted the default options whenever they configured their servers," Ko says. "If you just check the 'Internet Information Services' box when you're installing Windows 2000, it installs [SMTP] by default. Unfortunately, there are a lot of people out there who just accept the default options, which explains why we have so many open SMTP relays on NT 4.0 and Windows 2000 servers."

As a result, Ko says, the only users who are truly affected by this vulnerability are those who've actually made the effort to secure their SMTP services against relaying in the first place.

Microsoft's security bulletin says that Windows 2000 systems running its SMTP service should be safe if they're located behind a firewall. For his part, a systems administrator with a large telecommunications company believes that it's simply not a good idea to deploy the Microsoft SMTP service on Windows 2000 systems with direct access to the Internet – period.

"If you put it behind a firewall and you use it as an easy way to relay or send messages from inside, then that's probably okay, but you definitely want something more robust for the Internet," the administrator says. Stephen Swoyer

The bulletin can be found here