Microsoft and Internet Security Systems teamed up to issue a
warning to computer users yesterday to address a remote buffer
overflow hole found within Microsoft Exchange Server Version
5.5.
By taking advantage of a flaw associated with the way the server's
Internet Mail Connector (IMC) interprets responses to the "EHLO"
command within Simple Mail Transfer Protocol (SMTP) service,
assailants can launch an attack and crash Exchange by blocking
bi-directional e-mail traffic or could seize total control of the
machine, said Dan Ingevaldson, X-Force research and development
team leader at ISS.
So far, Microsoft Exchange 2000 servers are not at risk from the
remote buffer overflow vulnerability, he said.
The EHLO command is a function of IMC used to query other servers
to obtain a list of supported SMTP operations for e-mail client and
server identification to perform e-mail delivery. Upon EHLO
execution, the queried server tries to identify the client through
a reverse DNS lookup on the client IP address.
By performing a valid lookup, Ingevaldson said a computer attacker
is capable of triggering a buffer overflow on the targeted machine.
This can occur when the computer attempts to do a "back connection"
and verify the identify of the query's origin point, inadvertently
embedding portions of the exploit within the response because the
stack buffer used to formulate the message is not large enough for
the e-mail server name, "hello" text, and the client DNS
name.
The attack could be launched by outside parties using their own DNS
server and controlling reverse lookup responses, or by implementing
DNS spoofing measures.
"Once that happens, you're able to overflow a buffer on Exchange
Server and drop SMTP," said Ingevaldson. "You can crash the
functionality with Exchange, but the most serious effect is [an
attacker] really can control the whole e-mail server."
By using a variation of the overflow attack, the ISS security
expert said a skilled attacker could rewrite certain portions of
memory to allow them to execute specific commands on an overtaken
machine.
Microsoft has a patch available to correct the vulnerability, which
can be found at
www.microsoft.com/Downloads/Release.asp?ReleaseID=40666
For the patch to be effective, Microsoft Exchange Server Pack 3
must be installed.
For users unable to apply the Microsoft patch immediately, ISS
recommends flipping the registry key within the Microsoft Exchange
Server to disrupt IP addresses via incoming mail on vulnerable
machines.
However, Ingevaldson cautions this could cause short-term problems
with e-mail rules.