[NT] Microsoft Exchange Code Execution (MS06-019)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Exchange Code Execution (MS06-019)
------------------------------------------------------------------------


SUMMARY

Improper handling of user input in email messages will result in code
execution with Microsoft Exchange.

DETAILS

Vulnerable Systems:
* Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack
3 Update Rollup of August 2004( <http://support.microsoft.com/kb/870540/>
870540) -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E72C8F94-782F-4670-9221-E2E37EADB8EC> Download the update
* Microsoft Exchange Server 2003 Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F32574E0-F35C-4537-9AD0-524CB49AFE53> Download the update
* Microsoft Exchange Server 2003 Service Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=82AE4397-0982-4585-84C1-DC1AF6944A0F> Download the update

Exchange Calendar Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>
CVE-2006-0027:
A remote code execution vulnerability exists in Microsoft Exchange Server
that could allow an attacker who successfully exploited this vulnerability
to take complete control of the affected system.
An attacker could exploit the vulnerability by constructing a specially
crafted message that could potentially allow remote code execution when an
Exchange Server processes an email with certain vCal or iCal properties.

Mitigating Factors for Exchange Calendar Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>
CVE-2006-0027:
There are no known mitigating factors.

Workarounds for Exchange Calendar Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>
CVE-2006-0027:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they will help to block
known attack vectors. When a workaround reduces functionality, it is
identified in the following section.

* Require authentication for connections to a server that is running
Microsoft Exchange Server for all client and message transport protocols.
Requiring authentication for all connections made to the Exchange Server
computer will help protect against anonymous attacks. This will not
protect against an attack from a malicious user who can successfully
authenticate.

Impact of workaround: Anonymous communication from clients through IMAP,
POP3, HTTP, LDAP, SMTP, and NNTP will no longer be possible. Server to
server anonymous communication through RPC, X.400, foreign gateway, and
third-party connector protocols will also no longer be possible. In
default configurations of Exchange Server, authenticated access is
required for all protocols except SMTP. If all text/calendar MIME type
message parts and the meeting.ics file are blocked, anonymous SMTP
connections could still be accepted.

* Block iCal/vCal on Microsoft Exchange Server to help protect against
attempts to exploit this vulnerability through SMTP e-mail.

Systems can be configured to block certain types of files from being
received as e-mail attachments. Meeting requests, typically used in
Outlook, contain a file attachment that stores the meeting information.
This file attachment is usually named meeting.ics. Blocking this file, and
blocking the calendar MIME type, could help protect Exchange servers and
other affected programs from attempts to exploit this vulnerability if
customers cannot install the available security update. To help protect an
Exchange Server computer from attacks through SMTP, block the .ics files
and all text/calendar MIME type content before it reaches the Exchange
Server computer.

Note Exchange supports other messaging protocols, such as X.400, that
these workarounds do not protect. We recommend that administrators require
authentication on all other client and message transport protocols to help
prevent attacks using these protocols.

Note Filtering only for attachments that have the file name meeting.ics
may not be sufficient to help protect your system. A specially crafted
file attachment could be given another file name that could then be
processed by the Exchange Server computer. To help protect against
specially crafted e-mail messages, block all text/calendar MIME type
content.

There are many ways to block the meeting.ics file and other calendar
content. Here are some suggestions:

* You can use ISA Server 2000 SMTP Message Screener to block all file
attachments or to block only the meeting.ics file. Blocking all file
attachments provides the most protection for this issue if you use ISA
Server 2000 because ISA Server 2000 does not support blocking content
based on MIME content types. For more information, see
<http://support.microsoft.com/?id=315132> Microsoft Knowledge Base Article
315132.

* You can use ISA Server 2000 SMTP Filter to block all file attachments
or to block only the meeting.ics file. Blocking all file attachments
provides the most protection for this issue if you use ISA Server 2000
because ISA Server 2000 does not support blocking content based on MIME
content types. For more information, see
<http://support.microsoft.com/?id=320703> Microsoft Knowledge Base Article
320703 .

* You can use ISA Server 2004 SMTP Filter and Message Screener block all
file attachments or just the meeting.ics file. Blocking all file
attachments provides the most protection for this issue if you use ISA
Server 2004 because ISA Server 2004 does not support blocking content
based on MIME content types. For more information, see
<http://support.microsoft.com/?id=888709> Microsoft Knowledge Base Article
888709.

* You can use third-party e-mail filters to block all text/calendar MIME
type content before it is sent to the Exchange Server computer or to a
vulnerable application.

Impact of workaround: If calendar attachments are blocked, meeting
requests will not be received correctly. In some cases, users could
receive blank e-mail messages instead of the original meeting request. In
other cases, users may not receive meeting requests at all. Perform this
workaround only if you cannot install the available security update or if
a security update is not publicly available for your configuration

FAQ for Exchange Calendar Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>
CVE-2006-0027:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.

What causes the vulnerability?
EXCDO and CDOEX functionality provided with Exchange server does not
properly process certain iCAL and vCAL properties provided in email
messages.

What are EXCDO and CDOEX?
Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration
Data Objects (EXCDO) are interfaces that allow for certain types of
information to be processed in the Exchange store.

What is vCAL?
Virtual Calendar (vCAL) is a MIME content type used by Microsoft Exchange
Server and email clients when sending and exchanging information related
to calendars and scheduling.

What is iCAL?
Internet Calendar (iCAL) is a MIME content type used by Microsoft Exchange
Server and email clients when sending and exchanging information related
to calendars and scheduling.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
An anonymous user who could send a message with specially crafted vCAL or
iCAL properties to an Exchange Server could try to exploit this
vulnerability.

What systems are primarily at risk from the vulnerability?
Microsoft Exchanger Servers are at risk.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet.

What does the update do?
The update removes the vulnerability by modifying the way Exchange Server
processes messages with iCAL or vCAL properties.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly disclosed when this security bulletin was
originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages