Exchange 2000, 2003 in Danger
A buffer flow can turn into a flood of spam or worms in the latest vulnerability discovered.
released eight security bulletins in April.
According to our analysis, one is critical, one important and another noteworthy.
The rest can be applied with the next service pack or major version upgrade.
The critical one is MS05-021:
Buffer overflow in Microsoft Exchange 2000 and 2003
SMTP service. The Exchange SMTP service uses
proprietary Extended SMTP (ESMTP) protocol commands, or verbs, to support a
variety of services. Amongst them is the X-Link2State verb, which provides an
Exchange environment the ability to perform dynamic routing. Should one Exchange
server in the routing environment fail or become unavailable, X-Link2State messages,
via the SMTP protocol, advise all other Exchange servers so they can recalculate
how to reroute e-mail. X-Link2State messages can contain a maximum of 1024 bytes
of information, but it's possible to craft a malformed message which overflows
a buffer and allow code of the attacker's choice to run.
Exchange 2000 servers are much more vulnerable to this attack than Exchange
2003, for several reasons. First, Exchange 2000, unlike Exchange 2003, is vulnerable
to attacks by anonymous connections to port 25 (used by SMTP). Another factor
is that Exchange 2003 requires issuing the X-Link2State
verb within an authenticated session, and Exchange Service-level permissions
are necessary, which are even higher level than standard Administrator privileges.
The most effective way to mitigate this risk—and all risks with ESMTP
handling on Exchange servers—is to filter traffic prior to it reaching
the Exchange server. Exchange 2003 requires an authenticated session for the
proprietary ESMTP verbs, but no such security is available with Exchange 2000.
It's possible to use the IIS Metabase (a database
of operational parameters for IIS which includes SMTP) to filter some, but not
all, ESMTP verbs with Exchange 2000. Care should be taken when performing such
filtering, since it could result in Exchange servers becoming unavailable should
network or server disruptions occur. However, in Active Directory environments,
AD itself will provide updated routing information periodically (usually every
hour) if X-Link2State is no longer accepted.
Cybertrust expects to see this vulnerability attacked,
most likely quietly by would-be spammers hoping to own the Exchange server to
deliver their spam. Although the Exchange 2000 vulnerability could support a
worm, it's unlikely that there are enough servers exposed to make such an effort
Buffer overflow in graphics processing within MSN Messenger. Like so many other
products, GIF processing within MSN Messenger can result in a buffer overflow
which would permit remote code of the attacker's choice to be executed simply
by rendering the GIF.
If it weren't for the fact this has such huge potential for exploitation, it
wouldn't even get a mention. Many other products have proven vulnerable to this
same attack technique, yet none have been attacked. Regardless, this doesn't
diminish the potential for an en masse attempt.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
In corporate environments, the use of any Instant Messaging platform should
be controlled, ideally through an internal server to which all clients must
connect. This gives the company the ability to filter traffic, including the
inspection of graphic images. If this isn't done, access to the central servers
for the IM service should be blocked by IP address on all protocols. This will
prevent IM products that look for alternative protocols from finding a path
to the desired servers.
Denial of Service
Fernando Gont published several Internet
Engineering Task Force (IETF) drafts pertaining to the abuse of ICMP
as an attack vector. As a result, numerous Linux/Unix Vendors, as well as Microsoft,
announced vulnerabilities in their TCP/IP stacks related to the handling of
ICMP packets. So far, the vulnerabilities all result in Denial of Service conditions
on the affected platforms.
There's been another malware distribution attempt purporting to be from
Microsoft. Attackers sent spam to victims claiming to be from Microsoft and
providing a link to a site; once there, the site delivers the DSNX-05
Trojan. The trojan allows the criminals to remotely control their victim's
Unfortunately Microsoft, especially Priority Support Services,
still sends links in unsigned e-mails. Quick Fix Engineering
(QFE) Hotfixes, provided only to customers who have opened a trouble ticket
regarding some particular issue, are still delivered via a link to an FTP/HTTP
site, with a password. Such messages are typically not signed (either PGP or
Adding to the difficulty is the fact that Microsoft's PGP-signed messages usually
result in an invalid signature after PGP tries to validate it; Microsoft's list
processing software modifies the message after it's signed but before it's sent,
making the PGP signature virtually useless.
It used to be that you'd get an attachment with such malware attempts, but
the attackers know that attachments are becoming less effective. Using vulnerabilities
in Internet Explorer (IE) works reasonably well, but if you can convince a victim
to download and install something he believes is a patch, you don't need to
exploit browser vulnerabilities; the victim is the vulnerability.
Moral of the story: If you ever get a patch notification from Microsoft, never
use the link supplied. Just type "windowsupdate.microsoft.com" in
your browser to go to the official source.
Three ex-employees of Indian outsourcer MPHasis have
been arrested on charges of collecting and misusing account information to steal
more than $300,000 from four Citibank account holders.
Given the way India is promoting itself as a highly-skilled outsourcing center,
expect to see serious repercussions for such a crime. Although such crimes are
frequently committed in the U.S. as well, American companies contemplating Indian
outsourcing firms often hesitate after realizing the amount of information they
have to yield to the Indian companies.
One of the top 10 spammers in the world at the time of his arrest was sentenced
to nine years in a Virginia prison under a law which came into effect two weeks
before his arrest. Jeremy Jaynes made $750,000 per
month sending out 10 million spam messages a day, according to prosecutors.
The judge has deferred sentencing, pending an appeal.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.