TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin MS03-046

Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)

Issued: October 15, 2003
Updated: April 13, 2004
Version Number: 2.0

See all Exchange Server bulletins released October, 2003

Summary

Who Should Read This Document:  
System administrators who have servers running Microsoft® Exchange Server

Impact of Vulnerability:  
Remote Code Execution

Maximum Severity Rating:  
Critical

Recommendation:  
System administrators should apply the security patch to Exchange servers immediately

Patch Replacement:  
None

Caveats:  
None

Tested Software and Patch Download Locations:

Affected Software: 

Microsoft Exchange Server 5.0, Service Pack 2 -Download the patch 

Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch 

Microsoft Exchange 2000 Server, Service Pack 3 - Download the patch

Non Affected Software: 

Microsoft Exchange Server 2003

The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.

Top of sectionTop of section

General Information

Technical Details

Technical Description:

Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Exchange Server 5.0. Microsoft has updated the bulletin with additional information about Exchange Server 5.0 and also to direct users to a security update for this additional affected platform. This security update for Exchange 5.0 is a cumulative rollup package that also addresses the vulnerabilities discussed in MS00-082 and MS01-041. You need only install this security update once to be protected against all three vulnerabilities.

In Exchange Server 5.0 and Exchange Server 5.5, a security vulnerability exists in the Internet Mail Service that could allow an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted extended verb request that could allocate a large amount of memory. This could shut down the Internet Mail Service or could cause the server to stop responding because of a low memory condition.

In Exchange 2000 Server, a security vulnerability exists that could allow an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted extended verb request. That request could cause a denial of service that is similar to the one that could occur on Exchange Server 5.0 and Exchange Server 5.5. Additionally, if an attacker issues the request with carefully chosen data, the attacker could cause a buffer overrun that could allow the attacker to run malicious programs of their choice in the security context of the SMTP service.

Mitigating Factors: 

Microsoft ISA Server 2000, or third-party products that relay and filter SMTP traffic before forwarding it to Exchange, could be used to prevent this attack over the Internet.

Customers who use ISA Server 2000 to publish Exchange SMTP services with the default SMTP publishing rules are at reduced risk from this attack over the Internet. The Workarounds section below discusses these ISA publishing rules.

Severity Rating:

Exchange Server 5.0

Important

Exchange Server 5.5

Important

Exchange 2000 Server

Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability Identifier: CAN-2003-0714

Top of sectionTop of section

Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

Use SMTP protocol inspection to filter out SMTP protocol extensions. 

There are default ISA publishing rules for Exchange for filtering out any SMTP protocol extensions from traffic that passes the firewall. Other third-party products may offer similar functionality. More information on how to publish an Exchange server computer with ISA Server can be found at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;311237.

Only accept authenticated SMTP sessions. 

If practical, accept only connections from SMTP servers that authenticate themselves by using the SMTP AUTH command.

To require SMTP authentication on an Exchange 2000 server: 

1.

Start Exchange System Manager.

2.

Locate the server in the organization tree.

3.

Expand the Protocols container for the server.

4.

Expand the SMTP container.

5.

For each SMTP virtual server:

Open the properties and of the virtual server object.

Click the Access properties page.

Click the Authentication button.

Clear the "Anonymous Access" checkbox.

Click OK to accept the change.

To require SMTP authentication on an Exchange 5.5 server: 

To require authentication for inbound connections:

1.

Click the Connections page.

2.

In the "Accept Connections" Section, mark the radio button for "Only from hosts using Authentication."

Impact of Workaround: Typically, inbound SMTP mail is accepted without requiring authentication from the sender. If you require authentication, only senders that can present authentication credentials will be able to send mail to you.

The Exchange 5.0 Internet Mail Service does not support mandatory authentication for inbound connections. However, it is possible to configure the Internet Mail Connector to accept mail only from designated IP addresses. If you do this, you will only be able to receive inbound mail from the servers you have specifically allowed.

To configure Exchange 5.0 to accept mail only from designated hosts:

Start Exchange Administrator and open the properties of the Internet Mail Service object.

On the Connections page, select "Accept or reject by host" and then specify the hosts from which you will accept mail.

Use a firewall to block the port that SMTP uses. 

Use a firewall to block the port that SMTP uses. Typically, that is port 25.

Impact of Workaround : This workaround should only be used as a last resort to help protect you from this vulnerability. This workaround may directly affect the ability to communicate with external parties by e-mail.

For additional information about how to help make your Exchange environment more secure, visit the Security Resources for Exchange 5.5 and Security Resources for Exchange 2000 Web sites.

Top of sectionTop of section

Frequently Asked Questions

Why is Microsoft reissuing this bulletin?
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Exchange Server 5.0. Microsoft has updated the bulletin with additional information about Exchange Server 5.0 and also to direct users to an update for this additional affected platform. This update for Exchange 5.0 is a cumulative rollup package that also addresses the vulnerabilities in discussed in MS00-082 and MS01-041. You need only install this security update once to be protected against all three vulnerabilities.

What is the scope of this vulnerability?
In Exchange Server 5.0 and Exchange Server 5.5, this is a denial of service vulnerability because an unauthenticated attacker could exhaust large amounts of memory on the server or could cause the Internet Mail Service to shut down. There is no buffer that is overrun in this version of Exchange.
In Exchange 2000 Server, this is a buffer overrun vulnerability that could allow an unauthenticated attacker to exhaust large amounts of memory on the server or, at worst, run arbitrary code of their choice on the affected system in the security context of the Local System account.

What causes the vulnerability?
In Exchange Server 5.0 and Exchange Server 5.5, an unauthenticated attacker could issue a specially crafted SMTP extended verb request to allocate large amounts of memory.
In Exchange 2000 Server, an unauthenticated attacker could issue a specially crafted SMTP extended verb request to exploit an unchecked buffer.

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivering e-mail over the Internet, as defined in RFC 2821 and in RFC 2822. The protocol defines the format of e-mail messages, the fields that are in e-mail messages, the contents of e-mail messages, and the handling procedures for e-mail messages.

What are SMTP extended verbs?
SMTP extended verbs are defined by the extension model that is defined in RFC 2821. They allow addition of new functionality to the SMTP protocol. Microsoft Exchange uses an extended verb to communicate routing and other Exchange-specific information among Exchange servers in an Exchange environment.

What is wrong with the way that Exchange handles SMTP extended verbs?
In Exchange Server 5.0 and Exchange Server 5.5, the Internet Mail Service does not require the authentication used between Exchange servers within an Exchange organization before it allows the use of an extended verb to transfer certain information among Exchange servers in the Exchange organization.
In Exchange 2000 Server, the SMTP service does not require the authentication used between Exchange servers within an Exchange organization before it allows the use of an extended verb to transfer certain information among Exchange servers in the Exchange organization. Additionally, the SMTP service does not correctly allocate a buffer for this information.

What would this vulnerability enable an attacker to do?
The vulnerability could allow an unauthenticated attacker to exhaust large amounts of memory on the server. This could cause a state where the server would stop responding to requests. In Exchange 2000 Server, the attacker could also, in the worst case, be able to cause remote code execution.

How could an attacker exploit this vulnerability?
An unauthenticated attacker could seek to exploit this vulnerability by connecting to an SMTP port on the Exchange server and by issuing a specially-crafted extended verb request. These requests can allocate memory on the server and can cause a denial of service. In Exchange 2000 Server, it is also possible to craft the request causing the SMTP service to fail in such a way that an attacker could execute code. This could allow an attacker to take any action on the system in the security context of the SMTP service. By default, the SMTP service runs as Local System.

Because Exchange 2000 Server uses the Windows 2000 SMTP service, does the vulnerability affect the SMTP service in Windows 2000?
No. The vulnerability does not affect the Microsoft SMTP service on systems that are running Windows 2000 that do not have Exchange 2000 Server installed.
The vulnerability also does not affect the Microsoft SMTP services that can be installed on Windows NT® Server 4.0 or on Windows XP.

Does the vulnerability affect the SMTP service in Exchange Server 2003?
No. The SMTP service in Exchange Server 2003 only accepts the SMTP extended verb request from Exchange servers within the same Exchange organization.

Can this be exploited directly by using e-mail?
No. This vulnerability could not be exploited by sending a specially-crafted e-mail message to a mailbox that is hosted on an Exchange server. An attacker would have to connect directly to the SMTP port on an Exchange server.

What does this patch do?
For Exchange Server 5.0 and Exchange Server 5.5 the patch removes the vulnerability by requiring that the authentication used between Exchange servers within an Exchange organization is used before an Exchange server accepts the SMTP extended verb requests.
For Exchange 2000 Server the patch removes the vulnerability by requiring that the authentication used between Exchange servers within an Exchange organization is used before an Exchange server accepts the SMTP extended verb requests. Additionally, this patch implements correct input validation in the affected buffer.

Does this patch introduce any behavioral changes?
Yes. In order to use the Exchange extended verb, the patch requires authenticated SMTP connections between Exchange servers within an Exchange organization.
Exchange servers automatically authenticate to other Exchange servers that are in the same Exchange organization. Therefore, Exchange servers typically do not require configuration changes.

Top of sectionTop of section

Security Patch Information

Exchange 2000 Server Service Pack 3

Prerequisites: 

This security patch requires Exchange 2000 Server Service Pack 3.

Inclusion in service packs: 

The fix for this issue is included in the Exchange 2000 Post-Service Pack 3 (SP3) Rollup Patch.

Installation Information: 

This security patch supports the following Setup switches:

/?: Show the list of installation switches.

/u: Use Unattended mode.

/f: Force other programs to quit when the computer shuts down.

/n: Do not back up files for removal.

/o: Overwrite OEM files without prompting.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

/l: List the installed hotfixes.

/x: Extract the files without running Setup.

Deployment Information 

To install the security patch without any user intervention, use the following command line:

Exchange2000-KB829436-x86-enu /u /q /z

Restart Requirement:

No reboot is required provided all applications are closed before installation (including applications opened via a terminal server session). However, the security patch will restart the IIS, SMTP, and the Exchange Server Information Store Service.

System managers should therefore carefully plan applying this patch to cause minimal impact on normal operations.

Removal Information:

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall829436$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

DateTimeVersionSizeFile NameFolder

15-Jul-2003

22:49

6.0.6487.1

131072

drviis.dll

%EXSRVROOT%\bin

15-Jul-2003

22:55

6.0.6487.1

307200

exsmtp.dll

%EXSRVROOT%\bin

15-Jul-2003

22:48

6.0.6487.1

94208

peexch50.dll

%EXSRVROOT%\bin

15-Jul-2003

22:48

6.0.6487.1

393216

phatcat.dll

%EXSRVROOT%\bin

Verifying Patch Installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP4\829436

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 829436 security patch into the installation source files.

Top of sectionTop of section

Exchange Server 5.5 Service Pack 4

Prerequisites: 

This security patch requires Exchange Server 5.5 Service Pack 4.

Installation Information: 

For additional information about the command options that you can use to apply this update, click the article number below to view the article in the Microsoft Knowledge Base:

257946 XGEN: GUI Hotfix Utility Switches /x /m /s /z

For example, the following command line installs the update without any user intervention, and does not force the computer to restart:

Exchange5.5-KB829436-x86-enu /s

Deployment Information 

To install the security patch without any user intervention, use the following command line:

xchange5.5-KB829436-x86-enu /s

Restart Requirement:

The Microsoft Exchange Internet Mail Connector and all dependent services will be stopped to apply this hotfix and will be restarted before finishing. After the installation is complete, verify that all necessary Exchange services have been restarted.

System managers should therefore carefully plan applying this patch to cause minimal impact on normal operations.

Removal Information:

To remove this update, use the Add or Remove Programs tool in Control Panel or issue the following command in a console window:

%EXCHSRVR%\829436\UNINSTALL\UNINST.EXE

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

DateTimeVersionSizeFile NameFolder

01-Oct-2003

20:03

5.5.2657.72

504080

msexcimc.exe

%EXSRVROOT%\connect\msexcimc\bin

01-Oct-2003

20:04

5.5.2657.72

209680

imcmsg.dll

%EXSRVROOT%\res

Verifying Patch Installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\829436

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 829436 security patch into the installation source files.

Top of sectionTop of section

Exchange Server 5.0 Service Pack 2

Prerequisites:

This security patch requires Exchange Server 5.0 Service Pack 2.

Installation Information:

For additional information about the command options that you can use to apply this update, click the article number below to view the article in the Microsoft Knowledge Base:

257946 XGEN: GUI Hotfix Utility Switches /x /m /s /z

For example, the following command line installs the update without any user intervention, and does not force the computer to restart:

Exchange5.0-KB834130-x86-enu /s

Deployment Information

To install the security patch without any user intervention, use the following command line:

Exchange5.0-KB834130-x86-enu /s

Restart Requirement:

All Exchange services will be stopped to apply this hotfix and will be restarted before finishing. After the installation is complete, verify that all necessary Exchange services have been restarted.

System managers should therefore carefully plan applying this patch to cause minimal impact on normal operations.

Removal Information:

To remove this update, use the Add or Remove Programs tool in Control Panel or issue the following command in a console window:

%EXCHSRVR%\834130\UNINSTALL\UNINST.EXE

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

DateTimeVersionSizefile nameFolder

01-Jan-2004

21:05

0.0.0.0

21832

address.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

21:05

5.0.1462.21

26384

address.dll

%EXSRVROOT%\connect\msexcimc\bin

01-Jan-2004

21:05

5.0.1462.21

26384

address.dll

%EXSRVROOT%\bin

01-Jan-2004

20:51

0.0.0.0

31560

edbback.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

20:51

5.0.1462.21

29456

edbback.dll

%EXSRVROOT%\bin

01-Jan-2004

21:06

0.0.0.0

41916

ems_rid.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

21:06

5.0.1462.21

66320

ems_rid.dll

%EXSRVROOT%\bin

01-Jan-2004

21:21

0.0.0.0

1315112

emsmta.dbg

%SYSTEMROOT%\symbols\exe

01-Jan-2004

21:21

5.0.1462.21

2022672

emsmta.exe

%EXSRVROOT%\bin

01-Jan-2004

21:45

0.0.0.0

542060

mad.dbg

%SYSTEMROOT%\symbols\exe

01-Jan-2004

21:45

5.0.1462.21

574736

mad.exe

%EXSRVROOT%\bin

01-Jan-2004

20:23

0.0.0.0

684

mdbmsg.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

20:23

5.0.1462.21

451856

mdbmsg.dll

%EXSRVROOT%\res

01-Jan-2004

21:24

0.0.0.0

122152

mtacheck.dbg

%SYSTEMROOT%\symbols\exe

01-Jan-2004

21:24

5.0.1462.21

179472

Mtacheck.exe

%EXSRVROOT%\bin

01-Jan-2004

21:06

0.0.0.0

2268

mtamsg.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

21:06

5.0.1462.21

707856

mtamsg.dll

%EXSRVROOT%\res

01-Jan-2004

20:04

0.0.0.0

2259228

store.dbg

%SYSTEMROOT%\symbols\exe

01-Jan-2004

20:04

5.0.1462.21

2476816

store.exe

%EXSRVROOT%\bin

01-Jan-2004

21:05

0.0.0.0

236352

x400om.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

21:05

5.0.1462.21

319248

x400om.dll

%EXSRVROOT%\bin

01-Jan-2004

21:05

0.0.0.0

32552

x400omv1.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

21:05

5.0.1462.21

39184

x400omv1.dll

%EXSRVROOT%\bin

01-Jan-2004

20:41

0.0.0.0

2268

imcmsg.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

20:41

5.0.1462.21

153872

imcmsg.dll

%EXSRVROOT%\res

01-Jan-2004

21:06

0.0.0.0

31480

mmiext.dbg

%SYSTEMROOT%\symbols\dll

01-Jan-2004

21:06

5.0.1462.21

33040

mmiext.dll

%EXSRVROOT%\bin

01-Jan-2004

20:47

0.0.0.0

415516

msexcimc.dbg

%SYSTEMROOT%\symbols\exe

01-Jan-2004

20:47

5.0.1462.12

478480

msexcimc.exe

%EXSRVROOT%\connect\msexcimc\bin

Verifying Patch Installation:

To verify that the security patch is installed on your computer verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.0\SP3\834130

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 834130 security patch into the installation source files.

Top of sectionTop of section
Top of sectionTop of section

Acknowledgments

Microsoft thanks the following for working with us to protect customers:

Joćo Gouveia for reporting the issue described in MS03-046.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".

Patches for consumer platforms are available from the Windows Update web site

Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.

Security Resources:

The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Microsoft Software Update Services: http://www.microsoft.com/sus/ 

Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.

Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 

Windows Update: http://windowsupdate.microsoft.com 

Office Update: http://office.microsoft.com/officeupdate/

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 October 15, 2003: First Published.

V1.1 October 22, 2003: Removed unnecessary information from "Deployment" in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."

V1.2 November 11, 2003: Corrected file sizes under "Security Patch Information" "Exchange Server 5.5 Service Pack 4". Added information about Exchange 2000 Post-Service Pack 3 (SP3) Rollup Patch.

V2.0 April 13, 2004: Bulletin updated to advise of the availability of an update for Exchange Server 5.0


Top of pageTop of page