Mailing List Archive: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server

Remote Buffer Overflow Vulnerability in Microsoft Exchange Server

Jul 25, 2002, 12:13 AM

Post #1 of 4 (1111 views)

Any information on this? As usual, this IIS advisory does not contain
any useful information.
--------------------------------------------
Microsoft Exchange Server Internet Mail Connector (IMC) provides SMTP
(Simple Mail Transfer Protocol) functionality. It is possible for remote
attackers to formulate a request to trigger a buffer overflow on a
vulnerable Exchange server. This flaw may allow an attacker to either
crash Exchange and block all inbound and outbound email delivery or
allow an attacker to gain complete control of the server.
[snip]
--------------------------------------------

Re: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server [ In reply to ]

hdm at digitaloffense

Jul 25, 2002, 12:17 AM

Post #2 of 4 (1085 views)

Permalink

On Thursday 25 July 2002 02:13, Michel Arboi wrote:
> Any information on this? As usual, this IIS advisory does not contain
> any useful information.

Look at the real advisory:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20759

It requires the connecting IP address to reverse DNS to a string longer
than 251 (max 256). Sounds difficult to check for automatically without
matching a banner...

Re: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server [ In reply to ]

arboi at noos

Jul 25, 2002, 12:34 AM

Post #3 of 4 (1083 views)

Permalink

H D Moore <hdm@digitaloffense.net> writes:

> Sounds difficult to check for automatically without matching a
> banner...

Yes. The only (?) way would be to snif the DNS request and send back a
fake answer.
I'll suppose that the banner check will do.

Re: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server [ In reply to ]

j_lampe at bellsouth

Jul 25, 2002, 1:47 AM

Post #4 of 4 (1086 views)

Permalink

It's my understanding that you send an EHLO to the server . The server
reverse resolves the IP to some *very long* name. The returned resolved
name is inserted into a string which is supposed to be sent back to the
client. The length of the string overflows the local IMC...

AFAIK, exploit requires corrupted or intercepted DNS as well as standard
SMTP connect....

John Lampe
https://f00dikator.hn.org/

"Knowledge will forever govern ignorance, and a people who mean to be their
own governors, must arm themselves with the power knowledge gives. A popular
government without popular information or the means of acquiring it, is but
a prologue to a farce or a tragedy or perhaps both."
--James Madison

----- Original Message -----
From: "Michel Arboi" <arboi@noos.fr>
To: <plugins-writers@list.nessus.org>
Sent: Thursday, July 25, 2002 8:13 AM
Subject: Remote Buffer Overflow Vulnerability in Microsoft Exchange Server

Any information on this? As usual, this IIS advisory does not contain
any useful information.
--------------------------------------------
Microsoft Exchange Server Internet Mail Connector (IMC) provides SMTP
(Simple Mail Transfer Protocol) functionality. It is possible for remote
attackers to formulate a request to trigger a buffer overflow on a
vulnerable Exchange server. This flaw may allow an attacker to either
crash Exchange and block all inbound and outbound email delivery or
allow an attacker to gain complete control of the server.
[snip]
--------------------------------------------