Title: Microsoft Outlook Web Access Denial of Service Vulnerability
Severity: HIGH
Description:
Outlook Web Access is an optional component of Microsoft Exchange Server which runs in conjunction with Microsoft Internet Information Server. It provides access to a user's Exchange mailbox through a web interface.
A user can enter a long string of % characters into the Log On field in the Outlook Web Access logon page. Next, the NT challenge dialog will pop up requesting the username and password. The user enters the same long string into both the username and password fields and presses <enter> until the request times out.
At this point both the WWW Publishing service and the IIS Administration service are stopped. This results in the inability of the host server to fulfill HTTP requests or start the IIS Administration interface.
An administrator must manually restart the services to resume normal operation of the server.
Note: If this behaviour is due to a buffer overrun condition, it may be possible to execute arbitrary code on the server with administrative privileges.
Affected Products:
- Microsoft Exchange Server 5.5.0
- Microsoft Exchange Server 5.5.0SP1
- Microsoft Exchange Server 5.5.0SP2
- Microsoft Exchange Server 5.5.0SP3
- Microsoft Exchange Server 5.5.0SP4
References:
- Microsoft: Microsoft Technet Security
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
