[NT] Vulnerability in Exchange Server Allows Remote Code Execution (MS05-021)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/13/05

  • Next message: SecuriTeam: "[NT] Vulnerability in MSN Messenger Could Lead to Remote Code Execution (MS05-022)" 
    To: list@securiteam.com
Date: 13 Apr 2005 11:55:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Exchange Server Allows Remote Code Execution (MS05-021)
    ------------------------------------------------------------------------

    SUMMARY

    A remote code execution vulnerability exists in Microsoft Exchange Server
    that that could allow an attacker to connect to the SMTP port on an
    Exchange server and issue a specially-crafted command that could result in
    a denial of service or allow an attacker to run malicious programs of
    their choice in the security context of the SMTP service.

    DETAILS

    Affected Software:
     * Microsoft Exchange 2000 Server Service Pack 3 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66> Download the update

     * Microsoft Exchange Server 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267> Download the update

     * Microsoft Exchange Server 2003 Service Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC> Download the update

    Non-Affected Software:
     * Microsoft Exchange Server 5.5 Service Pack 4
     * Microsoft Exchange Server 5.0 Service Pack 2

    CVE Information:
    Exchange Server Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0560>
    CAN-2005-0560

    Mitigating Factors for Exchange Server Vulnerability - CAN-2005-0560:
    Exchange Server 2003 will not process commands of this type that originate
    from unauthenticated users. The level of authentication required to
    exploit this vulnerability is typically only granted to other Exchange
    Servers within the same organization.

    Microsoft ISA Server 2000, or third-party products that relay and filter
    SMTP traffic before forwarding it to Exchange, could be used to prevent an
    attack over the Internet. Detailed instructions on how to help protect
    against an attack using ISA Server can be found at the
    <http://www.microsoft.com/isaserver/support/prevent/> ISA Server
    Preventative Measures Web site by following the link Help Protect against
    Exchange Server vulnerability described in MS05-021 .

    Customers who use ISA Server 2000 or ISA Server 2004 to publish Exchange
    SMTP services with the default SMTP publishing rules are at reduced risk
    from this attack over the Internet. The Workarounds section below
    discusses these ISA publishing rules.

    Workarounds for Exchange Server Vulnerability - CAN-2005-0560:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    in the following section.

    Use SMTP protocol inspection to filter out SMTP protocol extensions.
    There are default ISA publishing rules for Exchange for filtering out any
    SMTP protocol extensions from traffic that passes the firewall. Other
    third-party products may offer similar functionality. More information on
    how to publish an Exchange server computer with ISA Server can be found by
    visiting the
    <http://www.microsoft.com/Desktop/www.support.microsoft.com/kbid=311237>
    Microsoft Knowledge Base Article 311237.

    Only accept authenticated SMTP sessions.
    If practical, accept only authenticated connections. Accepting connections
    only from trusted sources will prevent anonymous attackers from being able
    to exploit this issue.

    To require SMTP authentication on an Exchange 2000 server:
    1. Start Exchange System Manager.
    2. Locate the server in the organization tree.
    3. Expand the Protocols container for the server.
    4. Expand the SMTP container.
    5. For each SMTP virtual server:
     * Open the properties and of the virtual server object.
     * Click the Access properties page.
     * Click the Authentication button.
     * Clear the "Anonymous Access" checkbox.
     * Click OK to accept the change.

    Impact of Workaround:
    Typically, inbound SMTP mail is accepted without requiring authentication
    from the sender. If you implement this workaround, you will be able to
    receive email only from senders who have been granted appropriate
    permissions in your system.

    NOTE: This workaround does not prevent a malicious authenticated user from
    exploiting this vulnerability. But it does protect you against attack by
    anonymous users.

    Use a firewall to block the port that SMTP uses.
    Use a firewall to block the port that SMTP uses. Typically, that is port
    25.

    Impact of Workaround:
    This workaround should only be used as a last resort to help protect you
    from this vulnerability. This workaround may directly affect the ability
    to communicate with external parties by e-mail.

    Unregister xlsasink.dll and fallback to Active Directory for distribution
    of route information.
    1. In the exchange installation s bin directory, run regsvr32 /u
    xlsasink.dll.
    2. If the default one hour interval for the Exchange servers to update
    routing information from AD is sufficient, you may skip to step 8.
    Otherwise continue with the following instructions, taken from the More
    Information section in <http://support.microsoft.com/?kbid=842026>
    Microsoft Knowledge Base Article 842026
    3. Run regedit.
    4. Navigate to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RESvc\Parameters
    5. Edit the ReloadOsInterval value. If it doesn t exist, create a new
    DWORD with that name.
    6. Type in the number of seconds that the AD route information refresh
    interval should be. By default this is 3600.
    7. Click Ok and close regedit
    8. Restart the Exchange server
    Impact of Workaround:
    Exchange Servers won't use SMTP to proactively update routing information.
    If changes to the mail infrastructure are made, the Exchange Servers won't
    know about the new configuration until they refresh routing information
    from the Active Directory. This could result in a temporary interruption
    of mail services if the refresh interval is configured too large.

    Frequently asked questions (FAQ):
    What updates does this release replace?
    MS04-035 Exchange 2000 Server (Replaced) Exchange Server 2003 (Not
    Replaced)

    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. An attacker who
    successfully exploited this vulnerability could remotely take complete
    control of an affected system. An attacker could then install programs;
    view, change, or delete data; or create new accounts with full system
    rights.

    What causes the vulnerability?
    An unchecked buffer in the SMTP service.

    What is SMTP?
    SMTP (Simple Mail Transfer Protocol) is an industry standard for
    delivering e-mail over the Internet, as defined in
    <http://www.ietf.org/rfc/rfc2821.txt> RFC 2821 and in
    <http://www.ietf.org/rfc/rfc2822.txt> RFC 2822. The protocol defines the
    format of e-mail messages, the fields that are in e-mail messages, the
    contents of e-mail messages, and the handling procedures for e-mail
    messages.

    What are SMTP extended verbs?
    SMTP extended verbs are defined by the extension model that is defined in
    <http://www.ietf.org/rfc/rfc2821.txt> RFC 2821. They allow addition of new
    functionality to the SMTP protocol. Microsoft Exchange uses one such
    extended verb to communicate routing and other Exchange-specific
    information among Exchange servers in an Exchange environment.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of the affected system.

    Who could exploit the vulnerability?
    On Exchange 2000, any anonymous user who could connect to an SMTP port on
    the Exchange Server and issue a specially crafted extended verb request.

    On Exchange 2003, the level of authentication required to exploit this
    vulnerability is typically only granted to other Exchange Servers within
    the same organization. In this case, the attacker would have to connect to
    an SMTP port on the Exchange Server with the authority of another Exchange
    Server within the same organization and issue and issue a specially
    crafted extended verb request.

    How could an attacker exploit the vulnerability?
    An unauthenticated attacker could seek to exploit this vulnerability by
    connecting to an SMTP port on the Exchange 2000 server and by issuing a
    specially-crafted extended verb request. This could allow an attacker to
    take any action on the system in the security context of the SMTP service.
    By default, the SMTP service runs as Local System.

    For Exchange 2003, an attacker who could authenticate as an account in
    Exchange Enterprise Servers or Exchange Domain Servers groups could
    exploit this vulnerability.

    Because Exchange 2000 Server uses the Windows 2000 SMTP service, does the
    vulnerability affect the SMTP service in Windows 2000?
    No. The vulnerability does not affect the Microsoft SMTP service on
    systems that are running Windows 2000 that do not have Exchange 2000
    Server installed.
    The vulnerability also does not affect the Microsoft SMTP services that
    can be installed on Windows NT Server 4.0 or on Windows XP.

    Can this be exploited directly by using e-mail?
    No. This vulnerability could not be exploited by sending a
    specially-crafted e-mail message to a mailbox that is hosted on an
    Exchange server. An attacker would have to connect directly to the SMTP
    port on an Exchange server.

    What does the update do?
    The update removes the vulnerability by modifying the way that the SMTP
    Service validates the length of a message before it passes the message to
    the allocated buffer.

    Additionally, the update for Exchange 2000 adds authentication
    requirements similar to those already present in Exchange 2003.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS05-021.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-021.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vulnerability in MSN Messenger Could Lead to Remote Code Execution (MS05-022)"