http://www.microsoft.com/technet/security/bulletin/MS02-037.asp

Server Response To SMTP Client EHLO Command Results In Buffer Overrun (Q326322)

Originally posted: July 24, 2002

Summary

Who should read this bulletin: System administrators using Microsoft® Exchange Server 5.5.

Impact of vulnerability: Ability to run arbitrary code

Maximum Severity Rating: Moderate

Recommendation: System administrators should consider applying the patch.

Affected Software:
- Microsoft Exchange Server 5.5

Technical description:

The Internet Mail Connector (IMC) enables Microsoft Exchange Server to communicate with other mail servers via SMTP. When the IMC receives an SMTP extended Hello (EHLO) protocol command from a connecting SMTP server, it responds by sending a status reply that starts with the following:
250-<Exchange server ID>Hello<Connecting server ID>

Where:
- <Exchange server ID> is the fully-qualified domain name (FQDN) of the Exchange server
- <Connecting server ID> is either the FQDN or the IP address of the server that initiated the connection. The FQDN would be used if the Exchange5.5 IMC is able to resolve this information through a reverse DNS lookup; the IP address would be used if a reverse DNS lookup was not possible or failed to resolve the connecting servers IP address.

A security vulnerability results because of an unchecked buffer in the IMC code that generates the response to the EHLO protocol command. If the total length of the message exceeds a particular value, the data would overrun the buffer. If the buffer were overrun with random data, it would result in the failure of the IMC. If, however, the buffer were overrun with carefully chosen data, it could be possible for the attacker to run code in the security context of the IMC, which runs as Exchange5.5 Service Account.

It is important to note that the attacker could not simply send data to the IMC in order to overrun the buffer. Instead, the attacker would need to create a set of conditions that would cause the IMC to overrun its own buffer when it generated the EHLO response. Specifically, the attacker would need to ensure that a reverse DNS lookup would not only succeed, but would provide an FQDN whose length was sufficient to result in the buffer overrun.

Mitigating factors:
- Creating an environment in which the IMC's reverse DNS lookup would not only succeed but also result in the buffer being overrun would be difficult. The attacker could set up a rogue DNS server and manually populate the bogus FQDN information on it, but in this would require that the attacker have some means of forcing the IMC to consult the rogue DNS server when performing the reverse DNS lookup.
- The IMC can be disabled for cases where SMTP support is not needed. If this has been done, the vulnerability could not be exploited.
- Customers can disable Reverse DNS lookup on EHLO by setting a registry key as defined in Q190026. The vulnerability could not be exploited on a system configured in such a way.
- If the buffer overrun caused the IMC to fail, normal service could be restored by restarting the Exchange 5.5 IMC service.

Vulnerability identifier: CAN-2002-0698

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]