Microsoft Exchange Server contains unchecked buffer in SMTP extended verb handling

Overview

A vulnerability in some versions of Microsoft’s Exchange Server may allow a remote attacker to execute arbitrary code on an affected server.

Description

Microsoft’s Exchange Server supports a number of protocols for handling email, including the Simple Mail Transfer Protocol (SMTP) and SMTP extended verbs as defined by RFC2821. A buffer overflow error exists in the way that Exchange Server 2003 and Exchange 2000 Server handle a particular, but unspecified SMTP extended verb. This error results in a vulnerability that could allow a remote attacker to execute arbitrary code or cause a denial of service. According to Microsoft, this vulnerability could be exploited by:

On Exchange 2000, any anonymous user who could connect to an SMTP port on the Exchange Server and issue a specially crafted extended verb request.

On Exchange 2003, the level of authentication required to exploit this vulnerability is typically only granted to other Exchange Servers within the same organization. In this case, the attacker would have to connect to an SMTP port on the Exchange Server with the authority of another Exchange Server within the same organization and issue a specially crafted extended verb request.

NOTE: We are aware of publicly available exploit code for this vulnerability and have received reports of successful compromise of vulnerable systems.

---

Impact

Remote attackers may be able to cause a denial of service or execute code of their choosing on an affected system, depending on the version of Exchange Server being used. In the case of code execution, the code would be run with the privileges of the Exchange Server, typically Local System.

---

Solution

Apply a patch

Microsoft has published Microsoft Security Bulletin MS05-021 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

---

Workarounds

In addition to the patches referenced above, Microsoft Security Bulletin MS05-021 also contains workaround information to mitigate this issue. Users, particularly those who are unable to apply the patches, should consider implementing these workarounds as appropriate.

---

Vendor Information

275193

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: August 02, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has published Microsoft Security Bulletin MS05-021 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23275193 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://xforce.iss.net/xforce/alerts/id/193&gt;
• <http://www.microsoft.com/technet/Security/bulletin/ms05-021.mspx&gt;
• <http://www.us-cert.gov/cas/techalerts/TA05-102A.html&gt;
• <http://secunia.com/advisories/14920/&gt;
• <http://www.osvdb.org/displayvuln.php?osvdb_id=15467&gt;

Acknowledgements

Thanks to Microsoft for reporting this vulnerability. Microsoft, in turn, credits Mark Dowd and Ben Layer of ISS X-Force for discovering and reporting it to them.

This document was written by Chad R Dougherty based on information provided by Microsoft.

Other Information

CVE IDs:	CVE-2005-0560
Severity Metric:	36.15 Date Public: