Microsoft Corp. and Internet Security Systems Inc. (ISS) teamed up to issue a warning to computer users on Thursday to address a remote buffer overflow hole found within Microsoft Exchange Server Version 5.5.
By taking advantage of a flaw associated with how the server’s Internet Mail Connector (IMC) interprets responses to the “EHLO” command within Simple Mail Transfer Protocol (SMTP) service, assailants can launch an attack and crash Exchange by blocking bi-directional e-mail traffic or could seize total control of the machine, said Dan Ingevaldson, X-Force research and development team leader at Atlanta-based ISS.
Microsoft Exchange 2000 servers are not currently at risk from the remote buffer overflow vulnerability, he said.
The EHLO command is a function of IMC used to query other servers to obtain a list of supported SMTP operations for e-mail client and server identification to perform e-mail delivery. Upon EHLO execution, the queried server tries to identify the client through a reverse DNS lookup on the client IP address.
By performing a valid lookup, Ingevaldson said a computer attacker is capable of triggering a buffer overflow on the targeted machine. This can occur when the computer attempts to do a “back connection” and verify the identify of the query’s origin point, inadvertently embedding portions of the exploit within the response because the stack buffer used to formulate the message is not large enough for the e-mail server name, “hello” text, and the client DNS name.
The attack could be launched by outside parties using their own DNS server and controlling reverse lookup responses, or by implementing DNS spoofing measures.
“Once that happens, you’re able to overflow a buffer on Exchange Server and drop SMTP,” said Ingevaldson. “You can crash the functionality with Exchange, but the most serious effect is [an attacker] really can control the whole e-mail server.”
By using a variation of the overflow attack, the ISS security expert said a skilled attacker could rewrite certain portions of memory to allow them to execute specific commands on an overtaken machine.
Microsoft has a patch available to correct the vulnerability, which can be found at www.microsoft.com/Downloads/Release.asp?ReleaseID=40666. For the patch to be effective, Microsoft Exchange Server Pack 3 must be installed.
For users unable to apply the Microsoft patch immediately, ISS recommends flipping the registry key within the Microsoft Exchange Server to disrupt IP addresses via incoming mail on vulnerable machines. However, Ingevaldson cautions this could cause short-term problems with e-mail rules.
