[NT] Malformed Mail Attribute Causes Exchange 2000 to Exhaust CPU Resources

From: support@securiteam.com
Date: 05/29/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 29 May 2002 23:15:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Malformed Mail Attribute Causes Exchange 2000 to Exhaust CPU Resources
------------------------------------------------------------------------

SUMMARY

To support the exchange of mail with heterogeneous systems, Exchange
messages use the attributes of SMTP mail messages that are specified by
RFC's 821 and 822. There is a flaw in the way Exchange 2000 handles
certain malformed RFC message attributes on received mail. Upon receiving
a message containing such a malformation, the flaw causes the Store
service to consume 100% of the available CPU in processing the message.

A security vulnerability results because it is possible for an attacker to
seek to exploit this flaw and mount a denial of service attack. An
attacker could attempt to levy an attack by connecting directly to the
Exchange server and passing a raw, handcrafted mail message with an
especially malformed attribute. When the message was received and
processed by the Store service, the CPU would spike to 100%. The effects
of the attack would last as long as it took the Exchange Store service to
process the message. Neither restarting the service nor rebooting the
server would remedy the denial of service.

DETAILS

Affected Software:
 * Microsoft Exchange 2000

Mitigating factors:
 * The effect of an attack via this vulnerability would be temporary. Once
the server completed processing the message, normal operations would
resume. However, it is not possible to halt the processing of the message
once begun, even with a reboot.
 * The vulnerability does not provide any capability to compromise data on
the server or gain administrative control over it.
 * Mounting a successful attack requires the ability to pass a handcrafted
message to the target system, most likely through a simulated server-based
connection. It is not possible to construct a malformed message using an
email client such as Outlook or Outlook Express.

Patch availability:
Download locations for this patch
 * Microsoft Exchange 2000:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38951>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38951

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who was able to
successfully make direct connection to an Exchange 2000 Server and pass
raw, handcrafted mail messages directly to it could seek to exploit this
vulnerability and cause the system to become unresponsive.

The vulnerability would not enable the attacker to gain any privileges on
the system, nor to read, send or delete any user's mail on the system.
Once the message had been processed, the system would return to normal.

What causes the vulnerability?
The vulnerability results from a flaw in how Exchange 2000 handles mail
messages with certain malformed message attributes. Instead of rejecting
the malformed messages immediately, the Exchange 2000 Store Service
attempts to process the message. In attempting to process the message, the
Exchange 2000 Store Services utilizes all available CPU, and prevents any
other services on the server from functioning during this period.

What is the Exchange 2000 Store Service?
The Store is one of the core services in Exchange 2000. It provides
storage for the information contained in mailboxes and public folders in
Exchange 2000.

To this end, it also provides message-handling capabilities, to deliver
messages to and from mailboxes and public folders.

What are Mail Attributes?
An email message is comprised of several standard elements. For example,
each message has a "recipient" in the "to" line, a subject or title in the
"subject" line, and a message body. These elements are commonly referred
to as attributes.

Since Exchange mail messages can be sent to other, non-Exchange systems,
Exchange uses standardized mail attributes to describe these elements. In
using these standardized attributes, it is possible for non-Exchange
systems to correctly recognize and handle Exchange messages. For example,
by using a standardized "to" attribute, Exchange and non-Exchange systems
can recognize a message recipient, and handle that information
appropriately.

RFC 822 talks about these standardized mail attributes.

What's wrong with how Mail Attributes are handled in Exchange 2000?
When Exchange 2000 receives a mail message with an attribute that has been
malformed in a particular way, it attempts to process the message, rather
than rejecting it immediately. As the Store service attempts to process
the message, it utilizes 100% of the system's CPU. In so doing, it creates
a denial of service condition, because no other processing can occur on
the system until the Store has successfully processed the message.

What would this vulnerability enable the attacker to do?
An attacker could seek to exploit use this vulnerability to intentionally
prevent an Exchange server from providing mail services, or any other
service it might provide.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by establishing a
direct connection to the server and then passing a raw, handcrafted mail
message with an especially malformed attribute.

What do you mean when you say that the attacker would need to establish a
direct connection to the server?
When mail is transferred, the sending server connects directly to the
receiving server. Once the servers are connected, mail is passed from the
sender to the receiver directly. To exploit this vulnerability, an
attacker would have to make a similar direct connection to the target
server. Once directly connected, the attacker could pass the malformed
message.

What do you mean when you say that the attacker would need to use a raw,
hand-crafted message to exploit this vulnerability?
In addition to the message attributes that a user can specific, such as
"subject", there are other attributes that are controlled by the server.
The flaw affects how one of these server-controlled attributes is handled.
Because of this, it is not possible for an attacker to use a standard mail
client such as Outlook or Outlook Express to construct the malicious
message. Instead, the attacker would need to be able to completely
handcraft a raw mail message and then pass that message through a direct
connection to the server.

How long would an attack last?
Because of the specifics of the underlying flaw, the effects of an attack
would last until the message had been fully and completely processed by
the system. The specific length of time this would require would vary,
depending on the particular message that was passed to the server.

Can I stop and restart the Store service to resume normal processing?
No. In this particular case, once the message has been accepted by the
Store service, and processing on it has begun, normal service would not
resume until the message had been completely processed by the system.

This is because the Store function that processes messages takes
sequential priority over other Store operations. Because of this, the
Store immediately begins to process the message after a restart. Because
the processing of the message commands 100% of CPU, it is impossible for
other Store functions that could normally be used to clear the message to
be invoked. The net result of this is that once the processing begins on
the malformed message, there is no way to abort that processing. The store
must process the malformed message normally.

Can I reboot the server to resume the mail service?
No. Rebooting in this case would have the same effect as stopping and
restarting the service. As in that case, the Store would immediately
resume processing the malformed message as soon as it started.

Is it possible to create a message that exploits this vulnerability by
accident?
No. The particulars of this issue are such that a message that exploits
this vulnerability would have to be specially constructed with malicious
intent.

Could the attacker use this vulnerability to gain any privileges on the
system, or to read users' mail?
No. The vulnerability only enables an attacker to cause server's CPU to
spike to 100%. There is no opportunity here to gain privileges or
compromise data on the server.

Does the vulnerability Exchange Server 5.5?
No. Exchange 5.5 is not affected by the vulnerability.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the Exchange 2000
Store immediately rejects messages with malformed attributes.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_31898_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages