J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Microsoft Exchange Server Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Microsoft has announced that Exchange Server is affected by a remotely exploitable buffer overflow condition. The overflow can be triggered remotely by unauthenticated SMTP clients.

Microsoft has stated that remote code execution is possible on hosts running Exchange 2000 Server. Servers running Exchange Server 5.0 and 5.5 are vulnerable to a denial of service attack.

A remote user may connect to the SMTP port of the server and issue an unusually large extended verb request. On an Exchange Server 5.5 system, this would result in a denial of service due to memory exhaustion.

On a system running Exchange 2000 Server, this unusually large request would result in an internal buffer being overrun. Execution of arbitrary code in the security context of the Exchange service may be possible.

The verb in question that triggers this condition is XEXCH50, which is used to transfer binary data with Exchange specific recipient information. It is reported that an unusually large value for the length of the message will cause the server to allocate an attacker-specified amount of memory, resulting in a denial of service. If a negative value is specified for the message length, it is reported that the server will not allocate any memory but still accept data. This could be leveraged to corrupt heap memory with attacker-supplied values, which could theoretically be exploitable to execute arbitrary code.

It is important to note that the SMTP services on Windows NT, 2000, XP, and 2003 are not affected by this issue, unless a vulnerable version of Exchange has been installed on the system.

Affected Products:

  • Microsoft Exchange Server 2000
  • Microsoft Exchange Server 2000 SP1
  • Microsoft Exchange Server 2000 SP2
  • Microsoft Exchange Server 2000 SP3
  • Microsoft Exchange Server 5.0
  • Microsoft Exchange Server 5.0 SP1
  • Microsoft Exchange Server 5.0 SP2
  • Microsoft Exchange Server 5.5
  • Microsoft Exchange Server 5.5 SP1
  • Microsoft Exchange Server 5.5 SP2
  • Microsoft Exchange Server 5.5 SP3
  • Microsoft Exchange Server 5.5 SP4

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.