[SECURITY-L] ISS Advisory: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server

Qui Jul 25 14:29:21 -03 2002

----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----

From: Cristine Hoepers <cristine em nic.br>
Subject: [S] ISS Advisory: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server
To: seguranca em pangeia.com.br
Date: Thu, 25 Jul 2002 09:45:34 -0300
X-Mailer: Mutt 1.0.1i

[http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20759]

Internet Security Systems Security Advisory
July 24, 2002

Remote Buffer Overflow Vulnerability in Microsoft Exchange Server

Synopsis:

Microsoft Exchange Server Internet Mail Connector (IMC) provides SMTP
(Simple Mail Transfer Protocol) functionality. It is possible for remote
attackers to formulate a request to trigger a buffer overflow on a
vulnerable Exchange server. This flaw may allow an attacker to either
crash Exchange and block all inbound and outbound email delivery or
allow an attacker to gain complete control of the server.

Impact:

Microsoft Exchange Server is typically exposed to the Internet in order
to send and receive email. Successful exploitation of this vulnerability
can occur through properly configured firewalls. Microsoft Exchange 5.5
is the most heavily deployed version of Exchange on the Internet.
Microsoft reports that over 100 million Exchange licenses have been sold
(http://www.microsoft.com/presspass/Press/2002/Jan02/01-23MarketLeaderPR.
asp).

Affected Versions:

Microsoft Exchange Server version 5.5

Description:

IMC is Microsofts implementation of SMTP, which is used to facilitate
the majority of email transactions on the Internet. SMTP consists of
several basic operations that email clients and servers use to identify
one another and deliver email. The "EHLO" command is one of these basic
operations. A flaw exists in how the Exchange IMC handles EHLO commands,
which are used to query other servers to obtain a list of supported SMTP
operations. When an EHLO command is executed, the queried server
attempts to identify the client by way of a reverse DNS lookup.

When an email client connects to the SMTP service and issues an EHLO
command, the server formulates the following response to be delivered to
the client:

[email server name] hello [client DNS name]

The [email server name] is the name of the system running the email
server. The [client DNS name] is the name the IMC obtains by performing
a reverse DNS name lookup on the client IP address.

Although DNS names can be up to 255 characters in length, the stack
buffer used to formulate the message is not large enough to accommodate
the entire message. Specifically, a flaw exists in that the buffer is
too small for the email server name, " hello " text, and the client DNS
name. Therefore, with a valid DNS reverse lookup address, an attacker
can trigger the buffer overflow vulnerability. Since a test EHLO command
can be issued to query the email server name, the buffer overflow can be
triggered very reliably. The IMC service runs under the superuser, or
SYSTEM security context. This vulnerability can be exploited by
attackers using their own DNS server and controlling reverse lookup
responses, or by employing DNS spoofing techniques.

Recommendations:

ISS X-Force recommends that all affected Exchange customers apply the
workaround supplied in the Microsoft Knowledge Base article Q190026,
available here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q190026

Microsoft has also made the following patch available to correct this
vulnerability:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40666

Note: Microsoft Exchange Server Pack 4 must be installed in order to
apply this patch.

Detection and assessment support for this vulnerability will be included
in future X-Press Updates for RealSecure Network Sensor 6.x and 7.0 and
Internet Scanner. Internet Scanner X-Press Update 6.15 will include a
check to find vulnerable Exchange servers. XPU 6.15 will be available
soon from the ISS Download Center at: http://www.iss.net/download.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2002-0698  to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS02-037.asp

Credits:

The vulnerability described in this advisory was discovered and
researched by Nishad Herath of the ISS X-Force.

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce em iss.net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce em iss.net of Internet Security Systems, Inc.

----- End forwarded message -----