Hello,
In 2011 a flaw of STARTTLS was discovered allowing command injection: https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=555316&SearchOrder=4 (technical explanation: http://www.postfix.org/CVE-2011-0411.html).
But MS products were, reportedly, not vulnerable.
Today by running a standard nessus scan that issue appears on a W2012 running IIS 8 then, intrigued, I check by myself, and it does seem vulnerable:
>printf "HELO\r\nSTARTTLS\r\nRSET\r\n" | nc -t -C -v 10.129.36.143 25 Connection to 10.129.36.143 25 port [tcp/smtp] succeeded! 220 hostname.tld Microsoft ESMTP MAIL Service, Version: 8.0.9200.16384 ready at Wed, 19 Nov 2014 20:28:19 +0000 250 hostname.tld Hello [10.128.58.26] 220 2.0.0 SMTP server ready 250 2.0.0 Resetting
You can see the SMTP service replying the clear-text reset command after completing the STARTTLS.
Then I tried the same thing on a W2012 running Exchange but it is not vulnerable:
>printf "HELO\r\nSTARTTLS\r\nRSET\r\n" | nc -t -C -v 10.0.2.27 25 Connection to 10.0.2.27 25 port [tcp/smtp] succeeded! 220 exchangesrv.tld Microsoft ESMTP MAIL Service ready at Wed, 19 Nov 2014 21:44:44 +0100 250 exchangesrv.tld Hello [10.129.6.66] 220 2.0.0 SMTP server ready
You can see the reset command is not processed.
The only difference between the two hosts is one is running IIS 8 STMP service, the other is running Exchange STMP service.
So my questions are:
-What's happening in IIS 8 STMP service?
-Is it really vulnerable to the command injection?
-Is there a patch available (or a workaround) fixing that?
Thanks!