<<< Date Index >>>     <<< Thread Index >>>

MS03-046 Microsoft Exchange 2000 Heap Overflow



On October 15th, Microsoft released an advisory stating that both Exchange 
5.5 and Exchange 2000 were vulnerable to a denial of service attack in 
the code which processes extended verb requests. This advisory also 
stated that Exchange 2000 was vulnerable to a buffer overrun that would 
allow a remote attacker to execute the code in the context of the SMTP 
service.

The supported extended verb requests can be determined by sending the 
"EHLO" command to the SMTP service. After checking both the 5.5 and 2000 
versions of the Exchange SMTP service, it was obvious that the problem 
had to be with the XEXCH50 verb. A quick google search and I was able to 
find a quick description of this verb:

>From http://smtpfilter.sourceforge.net/esmtp.html:

"Allows transfer of binary data with Exchange specific recipient 
information eg plain text only versus MIME, etc). If accepted, receiver 
SMTP servers sends 354 Send Binary data and sending SMTP server sends the 
number of bytes as the first parameter on the XEXCH50 command. Once these 
bytes are sent,  the receiving SMTP server sends an acknowledgment"

After a few minutes of digging on google groups, I came across a sample 
TCP session showing how the XEXCH50 verb is used. This verb is used to 
transfer messages between Exchange servers using their native envelope 
format. The syntax of the verb is:

XEXCH50 <X> <Y>

Where X is the length of the message and Y always seems to be the number 2 
(although other small integer values work as well). The denial of service 
can be triggered by sending XEXCH50 request with a massive number of 
bytes for the first argument. This forces the remote server to allocate 
that specified amount of space and can easily be used to drain all 
available memory from a system. Once Exchange runs low on memory, it no 
longer processes incoming requests, leading to a quick and easy remote 
denial of service.

If a negative value is passed as the first argument of the XEXCH50 verb 
request, the server will not allocate any memory but still accept data. 
This can be used to clobber the heap and eventually execute arbitrary 
code...

It ends up that the heap area that is overwritten is used by the 
GetServiceConfigInfoSize routine and many of the subroutines that it 
calls. After testing more than two hundred combinations of data size, 
data content, pre-allocation, multiple connections, and alternate trigger 
paths, I was unable to find a set that would allow for reliable 
exploitation. Using the Snapshot/Revert functions of VMWare allowed me to 
test different data combinations in the exact same running process. Just 
changing a few bytes deep into the data resulted in a change in the 
location and type of crash. Even using the exact same data will result in 
smaller set of completely different crashes using different chunks of the 
data.

So for the moment, I have no working exploit. More than likely someone 
will find the perfect set of parameters and be able to write a reliable 
exploit, but in the meantime I am going to burn my time on something more 
fulfilling :)

You can find a small perl script that reproduces the crash and tests for 
the vulnerability at the URL below.

http://metasploit.com/releases.html

-HD