Opinion: Exchange 2000, 2003 in Danger
- By Russ Cooper
- May 03, 2005
Microsoft released eight security bulletins in April. According to our analysis,
one is critical, one important and another noteworthy. The rest can be applied
with the next service pack or major version upgrade.
The critical one is MS05-021: Buffer overflow in Microsoft Exchange 2000 and
2003 SMTP service. The Exchange SMTP service uses proprietary Extended SMTP
(ESMTP) protocol commands, or verbs, to support a variety of services. Amongst
them is the X-Link2State verb, which provides an Exchange environment the
ability to perform dynamic routing. Should one Exchange server in the routing
environment fail or become unavailable, X-Link2State messages, via the SMTP
protocol, advise all other Exchange servers so they can recalculate how to
reroute e-mail. X-Link2State messages can contain a maximum of 1024 bytes of
information, but it's possible to craft a malformed message which overflows a
buffer and allow code of the attacker's choice to run.
Exchange 2000 servers are much more vulnerable to this attack than Exchange
2003, for several reasons. First, Exchange 2000, unlike Exchange 2003, is
vulnerable to attacks by anonymous connections to port 25 (used by SMTP).
Another factor is that Exchange 2003 requires issuing the X-Link2State verb
within an authenticated session, and Exchange Service-level permissions are
necessary, which are even higher level than standard Administrator privileges.
The most effective way to mitigate this risk -- and all risks with ESMTP
handling on Exchange servers -- is to filter traffic prior to it reaching the
Exchange server. Exchange 2003 requires an authenticated session for the
proprietary ESMTP verbs, but no such security is available with Exchange 2000.
It's possible to use the IIS Metabase (a database of operational parameters for
IIS which includes SMTP) to filter some, but not all, ESMTP verbs with Exchange
2000. Care should be taken when performing such filtering, since it could result
in Exchange servers becoming unavailable should network or server disruptions
occur. However, in Active Directory environments, AD itself will provide updated
routing information periodically (usually every hour) if X-Link2State is no
Cybertrust expects to see this vulnerability attacked, most likely quietly by
would-be spammers hoping to own the Exchange server to deliver their spam.
Although the Exchange 2000 vulnerability could support a worm, it's unlikely
that there are enough servers exposed to make such an effort significant.
MS05-022: Buffer overflow in graphics processing within MSN Messenger. Like so
many other products, GIF processing within MSN Messenger can result in a buffer
overflow which would permit remote code of the attacker's choice to be executed
simply by rendering the GIF.
If it weren't for the fact this has such huge potential for exploitation, it
wouldn't even get a mention. Many other products have proven vulnerable to this
same attack technique, yet none have been attacked. Regardless, this doesn't
diminish the potential for an en masse attempt.
In corporate environments, the use of any instant messaging platform should be
controlled, ideally through an internal server to which all clients must
connect. This gives the company the ability to filter traffic, including the
inspection of graphic images. If this isn't done, access to the central servers
for the IM service should be blocked by IP address on all protocols. This will
prevent IM products that look for alternative protocols from finding a path to
the desired servers.
Other recent security developments …
Denial of Service
Fernando Gont published several Internet Engineering Task Force (IETF) drafts
pertaining to the abuse of ICMP as an attack vector. As a result, numerous
Linux/Unix Vendors, as well as Microsoft, announced vulnerabilities in their
TCP/IP stacks related to the handling of ICMP packets. So far, the
vulnerabilities all result in Denial of Service conditions on the affected
There's been another malware distribution attempt purporting to be from
Microsoft. Attackers sent spam to victims claiming to be from Microsoft and
providing a link to a site; once there, the site delivers the DSNX-05 Trojan.
The trojan allows the criminals to remotely control their victim's machines.
Unfortunately Microsoft, especially Priority Support Services, still sends links
in unsigned e-mails. Quick Fix Engineering (QFE) Hotfixes, provided only to
customers who have opened a trouble ticket regarding some particular issue, are
still delivered via a link to an FTP/HTTP site, with a password. Such messages
are typically not signed (either PGP or S/MIME.)
Adding to the difficulty is the fact that Microsoft's PGP-signed messages
usually result in an invalid signature after PGP tries to validate it;
Microsoft's list processing software modifies the message after it's signed but
before it's sent, making the PGP signature virtually useless.
It used to be that you'd get an attachment with such malware attempts, but the
attackers know that attachments are becoming less effective. Using
vulnerabilities in Internet Explorer (IE) works reasonably well, but if you can
convince a victim to download and install something he believes is a patch, you
don't need to exploit browser vulnerabilities; the victim is the vulnerability.
Moral of the story: If you ever get a patch notification from Microsoft, never
use the link supplied. Just type "windowsupdate.microsoft.com" in your browser
to go to the official source.
Three ex-employees of Indian outsourcer MPHasis have been arrested on charges of
collecting and misusing account information to steal more than $300,000 from
four Citibank account holders.
Given the way India is promoting itself as a highly-skilled outsourcing center,
expect to see serious repercussions for such a crime. Although such crimes are
frequently committed in the United States as well, American companies contemplating
Indian outsourcing firms often hesitate after realizing the amount of
information they have to yield to the Indian companies.
One of the Top 10 spammers in the world at the time of his arrest was sentenced
to nine years in a Virginia prison under a law which came into effect two weeks
before his arrest. Jeremy Jaynes made $750,000 per month sending out 10 million
spam messages a day, according to prosecutors. The judge has deferred
sentencing, pending an appeal.
Russ Cooper is a Senior Information Security Analyst with
Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of
NTBugtraq, www.ntbugtraq.com, one of the industry's most influential
mailing lists dedicated to Microsoft security. One of the world's most-
recognized security experts, he's often quoted by major media outlets
on security issues.
Russ Cooper's Security Watch column appears every Monday in the
Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.