search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows SMTP Service fails to properly handle responses from the NTLM authentication layer

Vulnerability Note VU#874115

Original Release Date: 2002-09-27 | Last Revised: 2003-10-09


A flaw in the authentication code of the SMTP service provided with Windows 2000 server and Exchange 5.5 may allow a user access to the SMTP service. This acess could be used to relay mail in violation of the SMTP server's security policy, or consume CPU resources on the SMTP server.


As of October 2003, The CERT/CC has begun seeing reports of exploitation. It is possible that an exploit for this vulnerability exists and is being used. Microsoft Released a patch for this issue in February 2002. It is recommended that USERS of Windows 2000 server and Exchange 5.5 apply the patch provided in MS02-011. In addition to exploiting this vulnerability to cause a denial of service, it is reported that the exploit attempts to guess passwords to common accounts on the system, such as administrator and IUSR_machinename. This highlights the importance of selecting strong passwords. For more information about selecting a strong password, we recommend that users review the following section of the Home Computer Security document:

The vulnearbility is caused due to a problem in the checks performed after a valid NTLM authentication. A remote user that is able to successfully authneticate via NTLM may be able to utilize the SMTP server resources. The attacker would not gain administrative privileges, but could consume CPU resources, or relay mail in violation of the SMTP server's security policy.

The vulnerability is present in SMTP servers shipped with Windows 2000 server, and Exchange 5.5 Internet Mail Connector. It is not present in the SMTP servers shipped with Windows NT 4.0 or Windows XP.


An attacker that is able to authenticate to the SMTP server may be able to relay mail in violation of the SMTP server's security policy, or consume CPU resources on the SMTP server.


Apply a Patch

Microsoft has published patches correcting this vulnerability. The patches are listed in their advisory at:

Vendor Information


Microsoft Corporation Affected

Updated:  September 26, 2002



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Microsoft has published a security bulletin describing this vulnerability at:

CVSS Metrics

Group Score Vector



Thanks to the BindView Razor team for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

CVE IDs: CVE-2002-0054
Severity Metric: 1.27
Date Public: 2002-02-27
Date First Published: 2002-09-27
Date Last Updated: 2003-10-09 21:21 UTC
Document Revision: 12

Sponsored by CISA.