Microsoft Security Bulletin MS04-035

A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. An attacker could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4 and in Microsoft Exchange 2000 Server Service Pack 3.

•	By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 64-Bit Edition, or Windows XP 64-Bit Edition Version 2003.
•	By default, the SMTP component is not installed when Internet Information Services (IIS) 6.0 is installed.
•	Windows NT Server 4.0, Windows 2000, Windows XP, Windows XP 64-Bit Edition, Exchange Server 5.0, and Exchange Server 5.5 are not affected by this vulnerability.

Top of section

Microsoft has tested the following workaround. This workaround will not correct the underlying vulnerability but will help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

Use a firewall to block incoming TCP protocol network traffic on port 53 for Windows Server 2003 systems using the SMTP component, regardless of if Exchange is installed.
Use a firewall to block TCP protocol network traffic on port 53. Do not block UDP traffic on port 53 or the server will be unable to make any DNS queries to resolve domain names.

Impact of Workaround: Port 53 is used for DNS queries and responses. By blocking the TCP protocol on port 53, all DNS name resolution must be done through the UDP protocol. Large DNS responses sent through TCP can be split between multiple packets, while responses sent through UDP must fit within a single UDP packet. This means that if you rely only on UDP for DNS name resolution, you may be unable communicate with domains that return more IP addresses than can fit in a single UDP packet. Typically, each entry in a DNS response requires 16 bytes. Therefore, a single UDP response packet can contain approximately 30 IP addresses.

Note It is possible to minimize potential disruptions of DNS name resolution by implementing a metabase key. For detailed information about this, see Microsoft Knowledge Base Article 820284.
Setting the metabase key will allow SMTP to use partial UDP name resolution responses to route mail. It will not prevent TCP responses from being sent to the server, and setting the metabase key is not a substitute for blocking TCP on port 53. This metabase key affects only SMTP, and it will not affect the name resolution behavior of other services and applications.

Block TCP protocol network traffic on Windows Server 2000 Service Pack 3 or Service Pack 4 systems with Microsoft Exchange Server 2003 with no service pack installed or with Microsoft Exchange Server 2000 installed.
If you have defined External DNS Servers, you can block TCP protocol network traffic on port 53 between the Exchange server and all external DNS servers. Follow these steps to check if External DNS Servers have been configured on your Exchange server:

Start the Exchange System Manager and for each server:

•	Expand the Protocols container.
•	Expand the SMTP container.
•	For each SMTP virtual server: • Open the SMTP virtual server Properties. • Select the Delivery tab. • Click the Advanced button. • Click the Configure button. Block TCP traffic on port 53 between any external DNS servers listed and the Exchange server. If there are no external DNS servers listed, you do not have to take any action. However, Microsoft strongly recommends that you apply the security update or service pack for Exchange 2003 so that you will protected if the configuration of your server changes in the future.

Impact of Workaround: This workaround will affect only SMTP traffic on the Exchange system. It will not affect name resolution by other applications and services. The external DNS servers configured in Exchange System Manager are used only by the SMTP and Exchange Routing services. With TCP traffic from these servers blocked on port 53, Exchange will automatically use partial UDP name resolution responses to route mail. There is no need to set a metabase key as described above for Windows Server 2003 in order for SMTP to take advantage of partial responses. It is possible that some mail will still be unable to be delivered. This will happen only if a valid email server IP address is not found in a partial UDP response.

•	Do not block both TCP and UDP for port 53. Doing so will cause all DNS name resolution to fail on the server.
•	If your server hosts applications that are configured to use only TCP for DNS responses, then this workaround will cause those applications to be unable to resolve domain names to IP addresses.
•	If your server is used primarily as an SMTP-based email server or Exchange server, messages addressed to domains that return large DNS responses may not be processed or delivered.

Top of section

What is the scope of the vulnerability?
A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles DNS lookups. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The vulnerability also exists in Microsoft Exchange Server 2003 when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4 and in Microsoft Exchange 2000 Server Service Pack 3.

What causes the vulnerability?
An unchecked buffer in the Windows SMTP component and in the Exchange Routing Engine component.

What is SMTP?
Simple Mail Transfer Protocol (SMTP) is an industry standard for delivering e-mail messages over the Internet, as defined in RFC 2821 and in RFC 2822. The protocol defines the format of e-mail messages, the fields that are in e-mail messages, the contents of e-mail messages, and the handling procedures for e-mail messages.

What is the Exchange Routing Engine component?
The Exchange Routing Engine component is part of the Exchange Routing Engine Service. The Exchange Routing Engine Service implements the Routing Engine API and determines how e-mail messages are routed through an Exchange system.

Why are there separate updates for Windows Server 2003, Exchange Server 2003, and Exchange 2000 Server?
The reason that this issue is addressed in the separate products is that name resolution functionality that was previously available only in the Exchange Server 2003 Routing Engine component was added to the Windows Server 2003 SMTP component. This is why you should install the update for Windows Server SMTP component update (KB885881) on Windows Server 2003 regardless of whether you have Exchange Server 2003 installed.

The update for Microsoft Exchange 2000 Server (KB890066) addresses the issue that is described in this bulletin in the Exchange 2000 Server Routing Engine component.

The update for Microsoft Exchange Server 2003 when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4 (KB885882) addresses the issue that is described in this bulletin in the Exchange Server 2003 Routing Engine component.

On Windows 2000, you should install Exchange Server 2003 Routing Engine component update only if you are running Exchange Server 2003 and you have not yet installed Exchange Server 2003 Service Pack 1.

On Windows Server 2003, Exchange uses the Windows Server 2003 SMTP component and bypasses the Exchange Server 2003 Routing Engine component for certain name resolution functions. On Windows 2000 Server, Exchange uses the functionality in its Exchange Routing Engine component because this functionality is not available in the Windows 2000 SMTP component.

Windows and/or Exchange software	KB885881	KB885882	KB890066
Windows Server 2003	Important	Not Applicable	Not Applicable
Windows Server 2003 64-Bit Edition	Important	Not Applicable	Not Applicable
Windows XP 64-Bit Edition Version 2003	Important	Not Applicable	Not Applicable
Exchange Server 2003 when installed on Windows Server 2003	Critical [1]	None [2]	Not Applicable
Exchange Server 2003 Service Pack 1 when installed on Windows Server 2003	Critical [1]	Not Applicable	Not Applicable
Exchange Server 2003 when installed on Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4	Not Applicable	Critical	Not Applicable
Exchange 2000 Server	Not Applicable	Not Applicable	Critical

[1] This is the Windows Server 2003 update.

[2] This update can be installed on these systems but is not necessary to be protected from this vulnerability. See the next FAQ for more information.

Is it possible to install the Exchange Routing Engine component update (KB885882) on Windows Server 2003-based systems?
Yes.It is possible to install the Exchange Routing Engine component update on Windows Server 2003-based systems if you have Exchange Server 2003 installed, but you have not yet installed Exchange Server 2003 Service Pack 1. However, you may not want to because doing this does not help protect against this vulnerability on Windows Server 2003-based systems. It only helps protect against this vulnerability on Windows 2000-based systems. To help protect against this vulnerability on Windows Server 2003-based systems, you must install the Windows Server 2003 SMTP component update (KB885881).

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system or could cause the SMTP component, and other services that are hosted by Internet Information Services on the same system, to repeatedly fail.

Who could exploit the vulnerability?
On Exchange 2000 Server and Exchange Server 2003, or on systems that use the Windows Server 2003 SMTP component, any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could attempt to exploit the vulnerability by creating a specially crafted DNS response message and sending the message to an affected system, which could then cause the affected system to execute code.

What systems are primarily at risk from the vulnerability?
Systems using Windows 2000 are only vulnerable to this issue when they use Exchange 2000 Server or Exchange Server 2003. When Exchange Server 2003 Service Pack 1 is installed, systems using Windows 2000 are no longer at risk from this vulnerability.

Systems using Windows Server 2003 are at risk from this vulnerability when they use the native SMTP component that is provided as part of the operating system, when they run Exchange Server 2003, or when they run Exchange Server 2003 Service Pack 1.

Could the vulnerability be exploited over the Internet?
Yes. An attacker may be able to exploit this vulnerability over the Internet.

What does the update do?
The update removes the vulnerability by modifying the way that the SMTP component validates the length of a message before it passes the message to the allocated buffer.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

Top of section

Note For Windows XP 64-Bit Edition Version 2003, this security update is the same as the Windows Server 2003 64-Bit Edition security update.

Prerequisites
This security update requires a release version of Windows Server 2003 or the release version of Windows XP 64-Bit Edition Version 2003.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows Server 2003 Service Pack 1.

Installation Information

This security update supports the following setup switches:

      /help                 Displays the command line options

Setup Modes

      /quiet                Quiet mode (no user interaction or display)

      /passive            Unattended mode (progress bar only)

      /uninstall          Uninstalls the package

Restart Options

      /norestart          Do not restart when installation is complete

      /forcerestart      Restart after installation

Special Options

      /l                        Lists installed Windows hotfixes or update packages

      /o                       Overwrite OEM files without prompting

      /n                       Do not back up files needed for uninstall

      /f                        Force other programs to close when the computer shuts down

      /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb885881-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb885881-x86-enu /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. If the required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB885881$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, and Windows Server 2003 Datacenter Edition:

Date         Time   Version       Size      File name     Folder

----------------------------------------------------------------

15-Sep-2004  02:27  6.0.3790.211  456192    Smtpsvc.dll   RTMGDR

15-Sep-2004  02:14  6.0.3790.211  460288    Smtpsvc.dll   RTMQFE

Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 64-Bit Datacenter Edition:

Date         Time   Version       Size     File name      Platform  Folder

--------------------------------------------------------------------------

15-Sep-2004  02:31  6.0.3790.211  1174528  Smtpsvc.dll    IA-64     RTMGDR

15-Sep-2004  02:15  6.0.3790.211  1182208  Smtpsvc.dll    IA-64     RTMQFE

Note When you install this security update on Windows Server 2003 or on Windows XP 64-Bit Edition Version 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation

Prerequisites
This security update requires a release version of Exchange Server 2003. This prerequisite applies only to systems where all the following conditions are true:

Inclusion in Future Service Packs:
The update for this issue is included in Microsoft Exchange Server 2003 Service Pack 1.

Installation Information

This security update supports the following setup switches:

/?  Show the list of installation switches.

/u  Use unattended mode (same as /m).

/m  Use unattended mode (same as /u).

/f  Force other programs to quit when the computer shuts down.

/n   Do not back up files for removal.

/o   Overwrite OEM files without prompting.

/z   Do not restart when the installation is complete.

/q   Use Quiet mode (no user interaction) and unattended mode (same as /u or /m).

/l   List installed hotfixes.

/x   Extract the files without running Setup.

See Microsoft Knowledge Base Article 331646 for additional information about installer switches.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt:

Exchange2003-kb885882-x86-enu /q

Restart Requirement

You do not have to restart your computer after you apply this security update.

However, the installer will restart Internet Information Services (IIS) and all dependent services. Therefore, we recommend that you apply this security update at a time when there are no users using any Exchange services on the system. Also, the restart of IIS stops the routing engine and the SMTP component if the front-end Exchange server is tasked with this role. Therefore, no e-mail messages will be routed during this restart of the IIS service. This includes incoming and outgoing SMTP e-mail traffic. The File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP) services will also be affected.

Removal Information

To remove this security update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall885882$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note Date, time, file name, or size information could change during installation. See the Verifying Update Installation section for details about how to verify an installation.

Exchange Server 2003 Enterprise Edition and Exchange Server 2003 Standard Edition:

Date         Time   Version        Size     File name

-----------------------------------------------------

09-Sep-2004  09:35  6.5.6980.98    823,808  Reapi.dll

Verifying Update Installation

Prerequisites
This security update requires Exchange 2000 Server Service Pack 3 with the Exchange 2000 Server Post-Service Pack 3 (SP3) Update Rollup. For more information, see Microsoft Knowledge Base Article 870540. To download the prerequisite update, visit this Web site.

Inclusion in Future Service Packs:
The update for this issue will be included in any future Service Pack or Update Rollup for Exchange 2000 Server Service Pack 3.

Installation Information

This security update supports the following setup switches:

      /help                 Displays the command line options

Setup Modes

      /quiet                Quiet mode (no user interaction or display)

      /passive            Unattended mode (progress bar only)

      /uninstall          Uninstalls the package

Restart Options

      /norestart          Do not restart when installation is complete

      /forcerestart      Restart after installation

Special Options

      /l                        Lists installed Windows hotfixes or update packages

      /o                       Overwrite OEM files without prompting

      /n                       Do not back up files needed for uninstall

      /f                        Force other programs to close when the computer shuts down

      /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Server:

Exchange2000-KB890066-x86 /passive /quiet

To install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Server:

Exchange2000-KB890066-x86 /norestart

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Restart Requirement

You do not have to restart your computer after you apply this security update.

However, the installer will restart Internet Information Services (IIS) and all dependent services. Therefore, we recommend that you apply this security update at a time when there are no users using any Exchange services on the system. Also, the restart of IIS stops the routing engine and the SMTP component if the front-end Exchange server is tasked with this role. Therefore, no e-mail messages will be routed during this restart of the IIS service. This includes incoming and outgoing SMTP e-mail traffic. The File Transfer Protocol (FTP) and Network News Transfer Protocol (NNTP) services will also be affected.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall890066$\Spuninst. The Spuninst.exe utility supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Exchange 2000 Server:

Date         Time   Version      Size    File name

--------------------------------------------------

30-Nov-2004  12:09  6.0.6617.25  532480  Reapi.dll

Verifying Update Installation