Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Microsoft Exchange Server Buffer Overflow in Processing SMTP EHLO Command Lets Remote Users Execute Arbitrary Code on the Server with System Level Privileges
|
|
SecurityTracker Alert ID: 1004828 |
|
CVE Reference: CAN-2002-0698
(Links to External Site)
|
Date: Jul 25 2002
|
Impact: Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.5
|
Description: A buffer overflow vulnerability was reported in Microsoft Exchange Server. A remote user with access to the SMTP port and with control
over a DNS server (or with the ability to spoof DNS) can cause arbitrary code to be executed on the system.
Microsoft reported that the Internet Mail Connector (IMC) of Microsoft Exchange Server contains a flaw in creating responses to extended
Hello (EHLO) protocol commands received from a remote SMTP server. This component is reportedly also referred to as the Exchange
Server Internet Mail Service.
If the length of a reply message exceeds a particular value, the overflow is triggered. According
to the report, the reply message adheres to the following format:
250-<Exchange server ID>Hello<Connecting server ID>
In the
above format, <Exchange server ID> is the fully-qualified domain name (FQDN) of the Exchange server and <Connecting server ID> is
either the FQDN or the IP address of the server that initiated the connection.
A remote user with control over a DNS server
(or with the ability to spoof DNS) could cause a specially crafted value to be returned in response to the Exchange Server's reverse
DNS lookup. The length of the IMC s own FQDN plus that of the remote server s FQDN must exceeded a particular value for the attack
to be successful. This could cause the IMC to crash or cause arbitrary code to be executed by the system. Arbitrary code would
run with the privileges of the IMC (System-level privileges).
According to Microsoft, Exchange 2000 and the SMTP service that
ships in Windows 2000 are not affected.
Microsoft credits Dan Ingevaldson of Internet Security Systems for reporting this issue.
|
Impact: A remote user could, in certain situations described in the 'description' section, cause arbitrary code to be run on the system with
System-level privileges. A remote user could also cause the service to crash, requiring a service restart to return to normal operations.
|
Solution: Microsoft has released a patch (Microsoft Exchange 5.5 Service Pack 4), available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40666
This
patch can reportedly be installed on systems running Microsoft Exchange 5.5 SP4.
Microsoft plans to issue Knowledge Base article
Q326322 regarding this issue, to be available shortly on the Microsoft Online Support web site:
http://search.support.microsoft.com/kb/c.asp?SD=SO&LN=EN-US
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-037.asp (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Jul 2002 21:06:20 -0400
Subject: MS02-037 Microsoft Exchange Server
|
http://www.microsoft.com/technet/security/bulletin/MS02-037.asp
MS02-037
Port: 25
Microsoft Exchange Server 5.5
Microsoft Exchange Server Buffer Overflow in Processing SMTP EHLO
Command Lets Remote Users Execute Arbitrary Code on the Server with
System Level Privileges
A buffer overflow vulnerability was reported in Microsoft Exchange
Server. A remote user with access to the SMTP port and with control
over a DNS server (or with the ability to spoof DNS) can cause arbitrary
code to be executed on the system.
Microsoft reported that the Internet Mail Connector (IMC) of Microsoft
Exchange Server contains a flaw in creating responses to extended Hello
(EHLO) protocol commands received from a remote SMTP server. This
component is reportedly also referred to as the Exchange Server Internet
Mail Service.
If the length of a reply message exceeds a particular value, the
overflow is triggered. According to the report, the reply message
adheres to the following format:
250-<Exchange server ID>Hello<Connecting server ID>
In the above format, <Exchange server ID> is the fully-qualified domain
name (FQDN) of the Exchange server and <Connecting server ID> is either
the FQDN or the IP address of the server that initiated the connection.
A remote user with control over a DNS server (or with the ability to
spoof DNS) could cause a specially crafted value to be returned in
response to the Exchange Server's reverse DNS lookup. The length of the
IMC's own FQDN plus that of the remote server's FQDN must exceeded a
particular value for the attack to be successful. This could cause the
IMC to crash or cause arbitrary code to be executed by the system.
Arbitrary code would run with the privileges of the IMC (System-level
privileges).
According to Microsoft, Exchange 2000 and the SMTP service that ships in
Windows 2000 are not affected.
Microsoft credits Dan Ingevaldson of Internet Security Systems for
reporting this issue.
A remote user could, in certain situations described in the
'description' section, cause arbitrary code to be run on the system with
System-level privileges.
Severity: Moderate, Internet and Intranet Servers
Solution:
Microsoft has released a patch (Microsoft Exchange 5.5 Service Pack 4),
available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40666
This patch can reportedly be installed on systems running Microsoft
Exchange 5.5 SP4.
Microsoft plans to issue Knowledge Base article Q326322 regarding this
issue, to be available shortly on the Microsoft Online Support web site:
http://search.support.microsoft.com/kb/c.asp?SD=SO&LN=EN-US
CVE Number: CAN-2002-0698
|
|
Go to the Top of This SecurityTracker Archive Page
|
