[NT] Malformed Data Transfer Request Causes Windows SMTP Service to Fail
From: support@securiteam.comDate: 02/28/02
- Previous message: support@securiteam.com: "[NT] Gator Installer Plugin Allows Any Software to be Installed Remotely"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 28 Feb 2002 09:26:14 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Malformed Data Transfer Request Causes Windows SMTP Service to Fail
------------------------------------------------------------------------
SUMMARY
An SMTP service installs by default as part of Windows 2000 server
products. Exchange 2000, which can only be installed on Windows 2000, uses
the native Windows 2000 SMTP service rather than providing its own. In
addition, Windows 2000 and Windows XP workstation products provide an SMTP
service that is not installed by default. All of these implementations
contain a flaw that could enable denial of service attacks to be mounted
against the service.
The flaw involves how the service handles a particular type of SMTP
command used to transfer the data that constitutes an incoming mail. By
sending a malformed version of this command, an attacker could cause the
SMTP service to fail. This would have the effect of disrupting mail
services on the affected system, but would not cause the operating system
itself to fail.
DETAILS
Affected software:
* Microsoft Windows 2000
* Microsoft Windows XP Professional
* Microsoft Exchange 2000
Mitigating factors:
* Windows XP Home Edition does not provide an SMTP service, and is not
affected by the vulnerability.
* Windows 2000 Professional and Windows XP Professional do provide an
SMTP service, but it is not installed by default.
* Windows 2000 server products do install the SMTP service by default.
However, best practices recommend disabling any unneeded services, and
systems on which the SMTP service had been disabled would not be at risk.
* Exchange 5.5, even if installed on a Windows 2000 server, is not
affected by the vulnerability.
* The result of an attack would be limited to disrupting the SMTP service
and, depending on the system configuration, potentially IIS and other
internet services as well. However, it would not disrupt any other system
functions.
* The vulnerability would not enable an attacker to gain any privileges
on the affected system or to access users' email or data.
Patch availability:
Download locations for this patch
* Windows 2000 Server, Professional and Advanced Server
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36556>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36556
* Windows XP Professional:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36636>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36636
What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a specially
malformed request to an affected system, an attacker could temporarily
prevent it from providing mail services. The vulnerability would not
enable the attacker to gain any privileges on the system, nor to read,
send or delete any user's mail on the system.
What causes the vulnerability?
There is a flaw in how the SMTP service in Windows 2000 and Windows XP
handles a particular type of data transfer command. Upon receiving a
malformed version of this command, the service would fail, with the
temporary loss of mail services
What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery
of mail via the Internet, defined in RFCs 2821 and 2822. The protocol
defines the format of mail messages, the fields in them and their
contents, and the handling procedures for mails. An SMTP service is
provided with Windows 2000 Server, Advanced Server, and Datacenter Server,
and installs by default the service is provided in Windows 2000
Professional, and Windows XP Professional, but does not install by default
in either.
What's the relationship between the SMTP service and Exchange?
Different versions of Exchange have different relationships with the
native SMTP service. Exchange 2000 (which can only be installed on Windows
2000), uses the native Windows 2000 SMTP service. In contrast, Exchange
5.5 provides its own SMTP service, regardless of what operating system it
installs on.
What's wrong with the SMTP service in Windows 2000?
The SMTP service in Windows 2000 does not correctly handle a particular
type of command that's used to transfer the data comprising an incoming
mail. Upon receiving such a command, the service would fail.
What would this enable the attacker to do?
An attacker could use this vulnerability to disrupt the operation of mail
services on an affected server.
How could an attacker exploit this vulnerability?
The attacker would need to establish a connection with the server and send
data that purports to be an incoming mail for a user on the server. If the
attacker included the command at issue here within that data, the SMTP
service on the system would fail. The administrator could restore normal
operation by restarting the SMTP service.
Could the attacker use this vulnerability to gain any privileges on the
system, or to read users' mail?
No. The vulnerability only enables an attacker to cause the service to
fail. There's no opportunity here to gain privileges or compromise data on
the server.
The SMTP service is running on my server because I left it at the
defaults. However, the server is not a mail server. What could an attacker
do to my system?
The SMTP service runs as part of Inetinfo.exe, which provides a number of
Internet-related services, including web hosting via IIS. If the SMTP
service failed due to an attack, all of these services would likewise
fail. However, they would automatically restart, and the attack would have
no other effect on the system.
Does this vulnerability affect Windows XP systems?
Windows XP Professional includes an SMTP service, but it does not install
by default. Unless it had been installed, the system would be at no risk.
Windows XP Home Edition does not include an SMTP service, and such systems
are therefore not at risk under any conditions.
Does this affect all Windows 2000 systems?
The SMTP service runs by default in all Windows 2000 server products.
However, Microsoft always recommends reviewing the list of services and
disabling any of those that are not needed. If the SMTP service had been
disabled, the system would not be at risk.
On the other hand, the SMTP service does not install by default on Windows
2000 Professional. Unless it had been installed, the system would be at no
risk.
Does the vulnerability affect the SMTP service in Windows NT 4.0?
No.
Does the vulnerability affect the SMTP service in Exchange Server 5.5?
No. Exchange 5.5, even if installed on Windows 2000, uses its own SMTP
service, which is not affected by the vulnerability
So, if I'm running Exchange 5.5 on Windows 2000, do I need to install the
patch?
No.
Why isn't there a patch for Exchange 2000?
Exchange 2000 does not have its own SMTP service - instead, it uses the
Windows 2000 SMTP service (and Windows 2000 is the only system Exchange
2000 can be installed on). The Windows 2000 patch eliminates the
vulnerability on all Windows 2000 systems, even ones that have Exchange
2000 installed as well.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the Windows 2000
SMTP service properly responds to erroneous client protocol commands. In
this way, an attacker who sent the malformed request could not cause the
SMTP service to fail.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Gator Installer Plugin Allows Any Software to be Installed Remotely"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
