Microsoft Exchange Vulnerabilities
Created 7/25/02
CVE 2002-0698
Impact
A remote attacker with access to a DNS server could crash
the mail service or execute arbitrary code.
Background
Microsoft Exchange is an e-mail server for Microsoft
Windows operating systems. Exchange 5.5
includes an Internet Mail Connector (IMC) service
which acts as a Mail Transfer Agent (MTA) for sending,
receiving, or routing e-mail across a network. The IMC implements
the
Extended Simple Mail Transfer Protocol (ESMTP).
An ESMTP session typically begins with
the client sending an EHLO command to the
server to indicate that it supports ESMTP.
The Exchange server replies with the fully qualified domain
name of both itself and the client. The client's name
is determined by a reverse DNS lookup.
The Problem
CVE 2002-0698
Microsoft Exchange does not check the length of the
response from the DNS server before copying it into a
fixed-length buffer. Therefore, a remote attacker who has
control over a registered DNS server could create a buffer
overflow by creating a long, specially crafted reverse DNS entry
and then issuing the EHLO command to
Exchange. The overflow would crash the server or, in the
case of a more sophisticated attack, allow the attacker
to execute arbitrary commands.
Microsoft Exchange 5.5 is affected by this vulnerability
if the patch has not been installed. Microsoft Exchange
2000 is not affected because it runs atop the native Windows
2000 SMTP service rather than the IMC.
Resolution
Apply the patch referenced in
Microsoft Security Bulletin 02-037.
Alternatively, disable the reverse DNS lookup feature of
the EHLO command by following the procedure
outlined in
Microsoft
Knowledge Base Article Q190026.
Where can I read more about this?
See
Microsoft Security Bulletin 02-037.