exchange.ldap.txt

`Date: Mon, 15 Mar 1999 21:55:24 -0500 (EST)  
From: X-Force <[email protected]>  
To: [email protected]  
Cc: X-Force <[email protected]>  
Subject: ISSalert: ISS Security Advisory: LDAP Buffer overflow against Microsoft Directory Services  
  
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to  
[email protected] Contact [email protected] for help with any problems!  
---------------------------------------------------------------------------  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
ISS Security Advisory  
March 15, 1999  
  
LDAP Buffer overflow against Microsoft Directory Services  
  
Synopsis:  
  
ISS X-Force has discovered a buffer overflow exploit against Microsoft  
Exchange's LDAP (Lightweight Directory Access Protocol) server which  
allows read access to the Exchange server directory by using an LDAP  
client. This buffer overflow consists of a malformed bind request that  
overflows the buffer and can execute arbitrary code. This attack can also  
cause the Exchange LDAP service to crash. This vulnerability exists in  
Microsoft Exchange Server version 5.5.  
  
Description:  
  
This exploit occurs during the LDAP binding process. Binding involves   
logging in or authenticating to a directory, and consists of sending a   
username, a password, and a binding method. There are two methods in  
which to use this vulnerablility against an Exchange server. The first  
consists of sending a particular type of invalid LDAP bind packet which  
will cause an overflow to occur this will cause the LDAP service to crash.  
The second uses a large malformed LDAP bind packet that is carefully  
crafted to take advantage of the buffer overflow and can be used to  
execute arbitrary code.  
  
Recommendations:  
  
Microsoft has made a patch available for the LDAP attack. Patch   
information is available at:  
http://www.microsoft.com/security/bulletins/ms99-009.asp  
  
Network administrators can protect internal systems from external attack  
by adding a rule to a filtering router or firewall of the type: Deny all  
incoming TCP packets with a destination port of 389.  
  
Many firewalls or packet filters may already have more restrictive   
rulesets that already encompass this filtering rule, in which case the   
network is already protected from an external attack. This ruleset would  
include filtering all incoming traffic to TCP port 389.  
  
Additional Information:  
  
These vulnerabilities were primarily researched by the ISS X-Force.  
  
________  
  
Copyright (c) 1999 by Internet Security Systems, Inc.   
  
Permission is hereby granted for the electronic redistribution of this  
Security Advisory. It is not to be edited in any way without express  
consent of the X-Force. If you wish to reprint the whole or any part of  
this Security Advisory in any other medium excluding electronic medium,  
please e-mail [email protected] for permission.  
  
Internet Security Systems, Inc. (ISS) is the leading provider of adaptive  
network security monitoring, detection, and response software that  
protects the security and integrity of enterprise information systems. By  
dynamically detecting and responding to security vulnerabilities and  
threats inherent in open systems, ISS's SAFEsuite family of products  
provide protection across the enterprise, including the Internet,  
extranets, and internal networks, from attacks, misuse, and security  
policy violations. ISS has delivered its adaptive network security  
solutions to organizations worldwide, including firms in the Global 2000,  
nine of the ten largest U.S. commercial banks, and over 35 governmental  
agencies. For more information, call ISS at 678-443-6000 or 800-776-2362  
or visit the ISS Web site at http://www.iss.net.  
  
Disclaimer  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as  
well as on MIT's PGP key server and PGP.com's key server.  
  
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce  
  
Please send suggestions, updates, and comments to:  
X-Force <[email protected]> of Internet Security Systems, Inc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3a  
Charset: noconv  
  
iQCVAwUBNu3GuzRfJiV99eG9AQF48wP+J1/vW040sA5f9Nz56JEF9s6d/tpainG1  
Qw7Jxbry374IFinJZfk/K5FJkdbjJfMcyGfgWJjNriYZJ0EKFkQcRK7XNAUe8AGu  
LWaBW4l0v1Qox3ueR3GdCskQ8haK9vpxkFkbPmlefIWKMsVhncQPloJwU3/WyPNV  
uLJBWqHEpkU=  
=Zp+/  
-----END PGP SIGNATURE-----  
  
------------------------------------------------------------------------------  
  
Date: Tue, 16 Mar 1999 22:28:11 -0800  
From: [email protected]  
To: [email protected]  
Subject: Microsoft Security Bulletin (MS99-009)  
  
The following is a Security Bulletin from the Microsoft Product Security  
Notification Service.  
  
Please do not reply to this message, as it was sent from an unattended  
mailbox.  
********************************  
  
Microsoft Security Bulletin (MS99-009)  
--------------------------------------  
  
Patch Available for "Malformed Bind Request" Vulnerability  
  
Originally Posted: March 16, 1999  
  
Summary  
=======  
Microsoft has released a patch that eliminates a vulnerability in the LDAP  
Bind function for Microsoft (r) Exchange (r) 5.5. The vulnerability could  
allow denial of service attacks against an Exchange server or, under certain  
conditions, could allow arbitrary code to be run on the server.  
  
A fully supported patch is available, and Microsoft recommends that  
customers who are at risk from this attack download and install it.  
  
Issue  
=====  
The Bind function in the Exchange 5.5 Directory Service has an unchecked  
buffer that poses two threats to safe operation. The first is a denial of  
service threat. A malformed Bind request could overflow the buffer, causing  
the Exchange Directory service to crash. The server would not need to be  
rebooted, but the Exchange Directory service, and possibly dependent  
services as well, would need to be restarted in order to resume messaging  
service. The second threat is more esoteric and would be far more difficult  
to exploit. A carefully-constructed Bind request could cause arbitrary code  
to execute on the server via a classic buffer overrun technique. Neither  
attack could occur accidentally.  
  
Customers who are using Exchange but who have turned off LDAP support in the  
Directory Service are not at risk from this vulnerability. Customers also  
can reduce their vulnerability to attacks from external sources by filtering  
incoming packets destined for TCP port 389, the LDAP service port.  
  
Microsoft has no reports of any customers being affected by this  
vulnerability. However, Microsoft is proactively releasing a patch that  
corrects the problem.  
  
Affected Software Versions  
==========================  
- Microsoft Exchange Server 5.5  
  
What Microsoft is Doing  
=======================  
Microsoft has released patches that fix the problem identified. The patches  
are available for download from the sites listed below in What Customers  
Should Do.  
  
Microsoft also has sent this security bulletin to customers  
subscribing to the Microsoft Product Security Notification Service.  
See http://www.microsoft.com/security/services/bulletin.asp for  
more information about this free customer service.  
  
Microsoft has published the following Knowledge Base (KB) article on this  
issue:  
- Microsoft Knowledge Base (KB) article Q221989,  
XADM: Buffer Overrun in Exchange 5.5 LDAP Service,  
http://support.microsoft.com/support/kb/articles/q221/9/89.asp  
(Note: It might take 24 hours from the original posting of  
this bulletin for the KB article to be visible in the Web-based  
Knowledge Base.)  
  
What Customers Should Do  
========================  
Microsoft highly recommends that customers evaluate the degree of risk that  
this vulnerability poses to their systems and determine whether to download  
and install the patch. The patch can be found at:  
- X86-based Exchange:  
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/  
fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRI.EXE  
- Alpha-based Exchange:  
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/  
fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRA.EXE  
  
(Note: The above URLs have been wrapped for readability)  
  
More Information  
================  
Please see the following references for more information related to this  
issue.  
- Microsoft Security Bulletin MS99-009,  
Patch Available for "Malformed Bind Request"  
Vulnerability (the Web-posted version of this bulletin),  
http://www.microsoft.com/security/bulletins/ms99-009.asp.  
- Microsoft Knowledge Base (KB) article Q221989,  
XADM: Buffer Overrun in Exchange 5.5 LDAP Service.  
http://support.microsoft.com/support/kb/articles/q221/9/89.asp  
(Note: It might take 24 hours from the original posting of  
this bulletin for the KB article to be visible in the Web-based  
Knowledge Base.)  
  
Obtaining Support on this Issue  
===============================  
If you require technical assistance with this issue, please  
contact Microsoft Technical Support. For information on contacting  
Microsoft Technical Support, please see  
http://support.microsoft.com/support/contact/default.asp.  
  
Revisions  
=========  
- March 16, 1999: Bulletin Created  
  
  
For additional security-related information about Microsoft  
products, please visit http://www.microsoft.com/security  
  
  
------------------------------------------------------------------------  
  
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"  
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER  
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS  
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS  
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,  
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN  
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE  
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR  
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE  
FOREGOING LIMITATION MAY NOT APPLY.  
  
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.  
  
*******************************************************************  
You have received this e-mail bulletin as a result of your registration  
to the Microsoft Product Security Notification Service. You may  
unsubscribe from this e-mail notification service at any time by sending  
an e-mail to [email protected]  
The subject line and message body are not used in processing the request,  
and can be anything you like.  
  
For more information on the Microsoft Security Notification Service  
please visit http://www.microsoft.com/security/bulletin.htm. For  
security-related information about Microsoft products, please visit the  
Microsoft Security Advisor web site at http://www.microsoft.com/security.  
  
`