-
- ----------------------------------------------------------------------
Title: Server Response To SMTP Client EHLO Command Results In
Buffer Overrun (Q326322)
Date: 24 July 2002
Software: Microsoft Exchange 5.5
Impact: Ability to run arbitrary code
Max Risk: Medium
Bulletin: MS02-037
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-037.asp.
- ----------------------------------------------------------------------
Issue:
======
Technical description:
The Internet Mail Connector (IMC) enables Microsoft Exchange Server
to communicate with other mail servers via SMTP. When the IMC
receives an SMTP extended Hello (EHLO) protocol command from a
connecting SMTP server, it responds by sending a status reply that
starts with the following:
250-<Exchange server ID>Hello<Connecting server ID>
Where:
<Exchange server ID> is the fully-qualified domain name (FQDN) of
the Exchange server <Connecting server ID> is either the FQDN or
the IP address of the server that initiated the connection.
The FQDN would be used if the Exchange5.5 IMC is able to resolve
this information through a reverse DNS lookup; the IP address
would be used if a reverse DNS lookup was not possible or failed
to resolve the connecting servers IP address.
A security vulnerability results because of an unchecked buffer
In the IMC code that generates the response to the EHLO protocol
command. If the total length of the message exceeds a particular
value, the data would overrun the buffer. If the buffer were
overrun with random data, it would result in the failure of the
IMC. If, however, the buffer were overrun with carefully chosen
data, it could be possible for the attacker to run code in the
security context of the IMC, which runs as Exchange5.5 Service
Account.
It is important to note that the attacker could not simply send
Data to the IMC in order to overrun the buffer. Instead, the
Attacker would need to create a set of conditions that would
cause the IMC to overrun its own buffer when it generated the
EHLO response. Specifically, the attacker would need to ensure
that a reverse DNS lookup would not only succeed, but would
provide an FQDN whose length was sufficient to result in the
buffer overrun.
Mitigating Factors:
====================
- Creating an environment in which the IMC's reverse DNS lookup
would not only succeed but also result in the buffer being
overrun would be difficult. The attacker could set up a rogue
DNS server and manually populate the bogus FQDN information
on it, but in this would require that the attacker have some
means of forcing the IMC to consult the rogue DNS server when
performing the reverse DNS lookup.
- The IMC can be disabled for cases where SMTP support is not
needed. If this has been done, the vulnerability could not be
exploited.
- Customers can disable Reverse DNS lookup on EHLO by setting a
registry key as defined in Q190026. The vulnerability could
not be exploited on a system configured in such a way.
- If the buffer overrun caused the IMC to fail, normal service
Could be restored by restarting the Exchange 5.5 IMC service.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: None
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-037.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Microsoft thanks Dan Ingevaldson of Internet Security Systems
http://www.iss.net for reporting this issue to us and working
with us to protect customers.
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPT9EBY0ZSRQxA/UrAQFlqQf/XEONv0EJsRr5rOndLfnDMK9SAHl8Lb+7
xEgzMFqHbF/z3yqcNVYWFpFYj8XuXUZE4YYGlXEZS8C+RR1YuMbD0opxhnA/4ALi
1SpvZyLN9p2sCAShMsBC7Z1ooMv9MXrVewsXFXLxJ+we2d1ha5Ez4ySHD28x6JGL
D4XIfh89LJaqrByVfsRkDggRExqGUiMX3vNK6kWY3UU84h7uIXAAjfi4vlks/W3m
mhm3cYhB7WpEBDjA7TCAGOtSSCwlgKTx8YgV4lzbjwyv+Jw9ugYBYgWnk1n655k4
90t5XuOXk4a8h+OfjW3IOgcZ0ti9Jit0O3S9+ONNbWx8EsLW+NTtaQ==
=MMIf
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin because of your subscription to the
Microsoft Product Security Notification Service. For more information on
this service, please visit
http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please
visit the Microsoft Profile Center at
http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the
Microsoft Security Notification Service via email as described below:
Send an email to unsubscribe to the Service by following these steps:
a. Send an e-mail to [EMAIL PROTECTED] The subject line and the
message body are not used to process the subscription request, and can be
anything you like.
b. Send the e-mail.
c. You will receive a response, asking you to verify that you really want to
cancel your subscription. Compose a reply, and put "OK" in the message body.
(Without the quotes). Send the reply.
d. You will receive an e-mail telling you that your name has been removed
from the subscriber list.
For security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
------------------------------------------------------------------------------
The information contained in this email message is privileged and confidential
information intended only for the use of the individual or entity to whom it is
addressed. If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copy of this message is
strictly prohibited. If you have received this email in error, please immediately
notify Veronis Suhler Stevenson by telephone (212)935-4990, fax (212)381-8168, or
email ([EMAIL PROTECTED]) and delete the message. Thank you.
==============================================================================
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
