Microsoft Security Bulletin MS02-025

Technical description:

To support the exchange of mail with heterogeneous systems, Exchange messages use the attributes of SMTP mail messages that are specified by RFC's 821 and 822. There is a flaw in the way Exchange 2000 handles certain malformed RFC message attributes on received mail. Upon receiving a message containing such a malformation, the flaw causes the Store service to consume 100% of the available CPU in processing the message.

A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a denial of service attack. An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. When the message was received and processed by the Store service, the CPU would spike to 100%. The effects of the attack would last as long as it took for the Exchange Store service to process the message. Neither restarting the service nor rebooting the server would remedy the denial of service.

Mitigating factors: 

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The vulnerability can be remotely exploited by non-authenticated users and can result in significant server downtime due to the specifics of the flaw. However, a successful attack requires the ability to connect directly to the target and pass a specially crafted malformed message.

Vulnerability identifier: CAN-2002-0368 

Tested Versions:

Microsoft tested Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who was able to successfully make direct connection to an Exchange 2000 Server and pass raw, hand-crafted mail messages directly to it could seek to exploit this vulnerability and cause the system to become unresponsive.
The vulnerability would not enable the attacker to gain any privileges on the system, nor to read, send or delete any user's mail on the system. Once the message had been processed, the system would return to normal.

What causes the vulnerability?
The vulnerability results from a flaw in how Exchange 2000 handles mail messages with certain malformed message attributes. Instead of rejecting the malformed messages immediately, the Exchange 2000 Store Service attempts to process the message. In attempting to process the message, the Exchange 2000 Store Services utilizes all available CPU, and prevents any other services on the server from functioning during this period.

What is the Exchange 2000 Store Service?
The Store is one of the core services in Exchange 2000. It provides storage for the information contained in mailboxes and public folders in Exchange 2000.
To this end, it also provides message handling capabilities, to deliver messages to and from mailboxes and public folders.

What are Mail Attributes?
An email message is comprised of several standard elements. For example, each message has a "recipient" in the "to" line, a subject or title in the "subject" line, and a message body. These elements are commonly referred to as attributes.
Since Exchange mail messages can be sent to other, non-Exchange systems, Exchange uses standardized mail attributes to describe these elements. In using these standardized attributes, it is possible for non-Exchange systems to correctly recognize and handle Exchange messages. For example, by using a standardized "to" attribute, Exchange and non-Exchange systems can recognize a message recipient, and handle that information appropriately.
RFC 822 talks about these standardized mail attributes.

What's wrong with how Mail Attributes are handled in Exchange 2000?
When Exchange 2000 receives a mail message with an attribute that's been malformed in a particular way, it attempts to process the message, rather than rejecting it immediately. As the Store service attempts to process the message, it utilizes 100% of the system's CPU. In so doing, it creates a denial of service condition, because no other processing can occur on the system until the Store has successfully processed the message.

What would this vulnerability enable the attacker to do?
An attacker could seek to exploit use this vulnerability to intentionally prevent an Exchange server from providing mail services, or any other service it might provide.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by establishing a direct connection to the server and then passing a raw, hand-crafted mail message with a specially malformed attribute.

What do you mean when you say that the attacker would need to establish a direct connection to the server?
When mail is transferred, the sending server connects directly to the receiving server. Once the servers are connected, mail is passed from the sender to the receiver directly. To exploit this vulnerability, an attacker would have to make a similar direct connection to the target server. Once directly connected, the attacker could pass the malformed message.

What do you mean when you say that the attacker would need to use a raw, hand-crafted message to exploit this vulnerability?
In addition to the message attributes that a user can specify such as "subject", there are other attributes that are controlled by the server. The flaw affects how one of these server-controlled attributes is handled. Because of this, it is not possible for an attacker to use a standard mail client such as Outlook or Outlook Express to craft the malicious message. Instead, the attacker would need to be able to completely hand-craft a raw mail message and then pass that message through a direct connection to the server.

How long would an attack last?
Because of the specifics of the underlying flaw, the effects of an attack would last until the message had been fully and completely processed by the system. The specific length of time this would require would vary, depending on the particular message that was passed to the server.

Can I stop and restart the Store service to resume normal processing?
No. In this particular case, once the message has been accepted by the Store service, and processing on it has begun, normal service would not resume until the message had been completely processed by the system.
This is because the Store function that processes messages takes sequential priority over other Store operations. Because of this, the Store immediately begins to process the message after a restart. Because the processing of the message commands 100% of CPU, it is impossible for other Store functions that could normally be used to clear the message to be invoked. The net result of this is that once the processing begins on the malformed message, there is no way to abort that processing. The store must process the malformed message normally.

Can I reboot the server to resume the mail service?
No. Rebooting in this case would have the same effect as stopping and restarting the service. As in that case, the Store would immediately resume processing the malformed message as soon as it started.

Is it possible to create a message that exploits this vulnerability by accident?
No. The particulars of this issue are such that a message that exploits this vulnerability would have to be specially constructed with malicious intent.

Could the attacker use this vulnerability to gain any privileges on the system, or to read users' mail?
No. The vulnerability only enables an attacker to cause server's CPU to spike to 100%. There's no opportunity here to gain privileges or compromise data on the server.

Does the vulnerability Exchange Server 5.5?
No. Exchange 5.5 is not affected by the vulnerability.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the Exchange 2000 Store immediately rejects messages with malformed attributes.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Microsoft Exchange 2000 SP2.

Inclusion in future service packs:

The fix for this issue will be included in Exchange 2000 SP3.

Reboot needed: 

No

Superseded patches: None.

Verifying patch installation:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange Server 2000\SP3\Q320436.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange Server 2000\SP3\Q320436\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches: 

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section