BID:13118

Microsoft Exchange Server SMTP Extended Verb Buffer Overflow Vulnerability

Info

Microsoft Exchange Server SMTP Extended Verb Buffer Overflow Vulnerability

Bugtraq ID:	13118
Class:	Boundary Condition Error
CVE:	CVE-2005-0560
Remote:	Yes
Local:	No
Published:	Apr 12 2005 12:00AM
Updated:	Jul 12 2009 12:56PM
Credit:	Discovery is credited to Mark Dowd and Ben Layer.
Vulnerable:	Microsoft Exchange Server 2003 SP1 Microsoft Exchange Server 2003 Microsoft Exchange Server 2000 SP3 Microsoft Exchange Server 2000 SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server Microsoft Exchange Server 2000 SP1 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server Microsoft Exchange Server 2000 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server

Not Vulnerable:	Microsoft Exchange Server 5.5 SP4 - Microsoft BackOffice 4.5 - Microsoft BackOffice 4.5 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft Exchange Server 5.0 SP2 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0

Discussion

Microsoft Exchange Server SMTP Extended Verb Buffer Overflow Vulnerability

Microsoft Exchange Server is prone to a buffer overflow in the X-LINK2STATE SMTP extended verb. Successful exploitation could result in arbitrary code execution.

Exploit / POC

Microsoft Exchange Server SMTP Extended Verb Buffer Overflow Vulnerability

The following proof of concept exploit is available:

/data/vulnerabilities/exploits/MS05-021-PoC.pl

Solution / Fix

Microsoft Exchange Server SMTP Extended Verb Buffer Overflow Vulnerability

Solution:
Microsoft has released updates to address this issue in supported versions.

Microsoft Exchange Server 2003 SP1

Microsoft Security Update for Exchange Server 2003 SP1 (KB894549)
http://www.microsoft.com/downloads/details.aspx?familyid=35BCE74A-E84A -4035-BF18-196368F032CC&displaylang=en

Microsoft Exchange Server 2003

Microsoft Security Update for Exchange Server 2003 (KB894549)
http://www.microsoft.com/downloads/details.aspx?familyid=97F409EB-C8D0 -4C94-A67B-5945E26C9267&displaylang=en

Microsoft Exchange Server 2000 SP3

Microsoft Security Update for Exchange 2000 Server(KB894549)
http://www.microsoft.com/downloads/details.aspx?familyid=2A2AF17E-2E4A -4479-8AC9-B5544EA0BD66&displaylang=en

References

Microsoft Exchange Server SMTP Extended Verb Buffer Overflow Vulnerability

References:

Microsoft Security Bulletin MS05-021 (Microsoft)
MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC ("Evgeny Pinchuk" )