Microsoft Exchange Server Empty MIME Boundary DoS

Bugtraq ID:	1688
Class:	Failure to Handle Exceptional Conditions
CVE:
Remote:	Yes
Local:	No
Published:	Feb 15 1999 12:00AM
Updated:	May 31 2019 10:00PM
Credit:	This vulnerability was acknowledged by Microsoft on February 15, 1999.
Vulnerable:	Microsoft Exchange Server 5.5 SP2 - Microsoft BackOffice 4.5 - Microsoft BackOffice 4.5 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft Exchange Server 5.5 SP1 - Microsoft BackOffice 4.5 - Microsoft BackOffice 4.5 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft Exchange Server 5.5 - Microsoft BackOffice 4.5 - Microsoft BackOffice 4.5 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0
Not Vulnerable:	Microsoft Exchange Server 5.5 SP3 - Microsoft BackOffice 4.5 - Microsoft BackOffice 4.5 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0

Microsoft Exchange Server Empty MIME Boundary DoS

If the boundary string is missing in the Content-Type field of a MIME-encoded message, Exchange server will cease to operate if it attempts to relay the message.

From the Microsoft Knowledge Base article Q217155:
When Microsoft Internet Mail Service receives a MIME-encoded message that has a large MIME prolog and the message is relayed, an endless loop in content conversion may result in a temporary file with an .stf extension that grows until all the disk space is consumed or the Internet Mail Service is shut down. The .stf file can also grow as a result of a POP3 or IMAP4 client downloading mail from the server.

This problem is typically because of a missing boundary before a body part causing the body part to be interpreted as part of the prolog. If the prolog is big enough to be within approximately 76 bytes of the current available buffer space, the prolog is emitted but leaving no room for the boundary to fit in. This results in an endless loop of emitting the same prolog over and over again while the temporary file grows in size.

Microsoft Exchange Server Empty MIME Boundary DoS

Send a MIME message containing an empty MIME boundary to an Exchange server. When the message is relayed or retrieved from the server, Exchange will cease to function.

Microsoft Exchange Server Empty MIME Boundary DoS

Solution:
Microsoft has released Exchange 5.5 SP3, which fixes this problem.


Microsoft Exchange Server 5.5 SP1

• Microsoft Exchange Server 5.5 SP3
  http://www.microsoft.com/exchange/downloads/sp3.htm

Microsoft Exchange Server 5.5 SP2

• Microsoft Exchange Server 5.5 SP3
  http://www.microsoft.com/exchange/downloads/sp3.htm

Microsoft Exchange Server 5.5

• Microsoft Exchange Server 5.5 SP3
  http://www.microsoft.com/exchange/downloads/sp3.htm

Microsoft Exchange Server Empty MIME Boundary DoS

References:

• Exchange Server Home Page (Microsoft)
  
• Q217155 - XADM: Missing MIME Boundary Causes Bad MIME Prolog (Microsoft)
  
• Q235453 - XGEN: List of Bugs Fixed in Exchange Server 5.5 Service Pack 3 (Part 1 (Microsoft)
  
• Q241740 - XGEN: List of Bugs Fixed in Exchange Server 5.5 Service Pack 3 (Part 2 (Microsoft)