Microsoft Exchange Server flaw uncovered

Microsoft Corp. and Internet Security Systems Inc. (ISS) teamed up to issue a warning to computer users on Thursday to address a remote buffer overflow hole found within Microsoft Exchange Server Version 5.5.

By taking advantage of a flaw associated with how the server’s Internet Mail Connector (IMC) interprets responses to the “EHLO” command within Simple Mail Transfer Protocol (SMTP) service, assailants can launch an attack and crash Exchange by blocking bi-directional e-mail traffic or could seize total control of the machine, said Dan Ingevaldson, X-Force research and development team leader at Atlanta-based ISS.

Microsoft Exchange 2000 servers are not currently at risk from the remote buffer overflow vulnerability, he said.

The EHLO command is a function of IMC used to query other servers to obtain a list of supported SMTP operations for e-mail client and server identification to perform e-mail delivery. Upon EHLO execution, the queried server tries to identify the client through a reverse DNS lookup on the client IP address.

By performing a valid lookup, Ingevaldson said a computer attacker is capable of triggering a buffer overflow on the targeted machine. This can occur when the computer attempts to do a “back connection” and verify the identify of the query’s origin point, inadvertently embedding portions of the exploit within the response because the stack buffer used to formulate the message is not large enough for the e-mail server name, “hello” text, and the client DNS name.

The attack could be launched by outside parties using their own DNS server and controlling reverse lookup responses, or by implementing DNS spoofing measures.

“Once that happens, you’re able to overflow a buffer on Exchange Server and drop SMTP,” said Ingevaldson. “You can crash the functionality with Exchange, but the most serious effect is [an attacker] really can control the whole e-mail server.”

By using a variation of the overflow attack, the ISS security expert said a skilled attacker could rewrite certain portions of memory to allow them to execute specific commands on an overtaken machine.

Microsoft has a patch available to correct the vulnerability, which can be found at For the patch to be effective, Microsoft Exchange Server Pack 3 must be installed.

For users unable to apply the Microsoft patch immediately, ISS recommends flipping the registry key within the Microsoft Exchange Server to disrupt IP addresses via incoming mail on vulnerable machines. However, Ingevaldson cautions this could cause short-term problems with e-mail rules.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now