Opinion: Exchange 2000, 2003 in Danger

Microsoft released eight security bulletins in April. According to our analysis, one is critical, one important and another noteworthy. The rest can be applied with the next service pack or major version upgrade.

The critical one is MS05-021: Buffer overflow in Microsoft Exchange 2000 and 2003 SMTP service. The Exchange SMTP service uses proprietary Extended SMTP (ESMTP) protocol commands, or verbs, to support a variety of services. Amongst them is the X-Link2State verb, which provides an Exchange environment the ability to perform dynamic routing. Should one Exchange server in the routing environment fail or become unavailable, X-Link2State messages, via the SMTP protocol, advise all other Exchange servers so they can recalculate how to reroute e-mail. X-Link2State messages can contain a maximum of 1024 bytes of information, but it's possible to craft a malformed message which overflows a buffer and allow code of the attacker's choice to run.

Exchange 2000 servers are much more vulnerable to this attack than Exchange 2003, for several reasons. First, Exchange 2000, unlike Exchange 2003, is vulnerable to attacks by anonymous connections to port 25 (used by SMTP). Another factor is that Exchange 2003 requires issuing the X-Link2State verb within an authenticated session, and Exchange Service-level permissions are necessary, which are even higher level than standard Administrator privileges.

The most effective way to mitigate this risk -- and all risks with ESMTP handling on Exchange servers -- is to filter traffic prior to it reaching the Exchange server. Exchange 2003 requires an authenticated session for the proprietary ESMTP verbs, but no such security is available with Exchange 2000.

It's possible to use the IIS Metabase (a database of operational parameters for IIS which includes SMTP) to filter some, but not all, ESMTP verbs with Exchange 2000. Care should be taken when performing such filtering, since it could result in Exchange servers becoming unavailable should network or server disruptions occur. However, in Active Directory environments, AD itself will provide updated routing information periodically (usually every hour) if X-Link2State is no longer accepted.

Cybertrust expects to see this vulnerability attacked, most likely quietly by would-be spammers hoping to own the Exchange server to deliver their spam. Although the Exchange 2000 vulnerability could support a worm, it's unlikely that there are enough servers exposed to make such an effort significant.

MS05-022: Buffer overflow in graphics processing within MSN Messenger. Like so many other products, GIF processing within MSN Messenger can result in a buffer overflow which would permit remote code of the attacker's choice to be executed simply by rendering the GIF.

If it weren't for the fact this has such huge potential for exploitation, it wouldn't even get a mention. Many other products have proven vulnerable to this same attack technique, yet none have been attacked. Regardless, this doesn't diminish the potential for an en masse attempt.

In corporate environments, the use of any instant messaging platform should be controlled, ideally through an internal server to which all clients must connect. This gives the company the ability to filter traffic, including the inspection of graphic images. If this isn't done, access to the central servers for the IM service should be blocked by IP address on all protocols. This will prevent IM products that look for alternative protocols from finding a path to the desired servers.

Other recent security developments …

Denial of Service

Fernando Gont published several Internet Engineering Task Force (IETF) drafts pertaining to the abuse of ICMP as an attack vector. As a result, numerous Linux/Unix Vendors, as well as Microsoft, announced vulnerabilities in their TCP/IP stacks related to the handling of ICMP packets. So far, the vulnerabilities all result in Denial of Service conditions on the affected platforms.

Malicious Code

There's been another malware distribution attempt purporting to be from Microsoft. Attackers sent spam to victims claiming to be from Microsoft and providing a link to a site; once there, the site delivers the DSNX-05 Trojan. The trojan allows the criminals to remotely control their victim's machines.

Unfortunately Microsoft, especially Priority Support Services, still sends links in unsigned e-mails. Quick Fix Engineering (QFE) Hotfixes, provided only to customers who have opened a trouble ticket regarding some particular issue, are still delivered via a link to an FTP/HTTP site, with a password. Such messages are typically not signed (either PGP or S/MIME.)

Adding to the difficulty is the fact that Microsoft's PGP-signed messages usually result in an invalid signature after PGP tries to validate it; Microsoft's list processing software modifies the message after it's signed but before it's sent, making the PGP signature virtually useless.

It used to be that you'd get an attachment with such malware attempts, but the attackers know that attachments are becoming less effective. Using vulnerabilities in Internet Explorer (IE) works reasonably well, but if you can convince a victim to download and install something he believes is a patch, you don't need to exploit browser vulnerabilities; the victim is the vulnerability.

Moral of the story: If you ever get a patch notification from Microsoft, never use the link supplied. Just type "" in your browser to go to the official source.

Human Factors

Three ex-employees of Indian outsourcer MPHasis have been arrested on charges of collecting and misusing account information to steal more than $300,000 from four Citibank account holders.

Given the way India is promoting itself as a highly-skilled outsourcing center, expect to see serious repercussions for such a crime. Although such crimes are frequently committed in the United States as well, American companies contemplating Indian outsourcing firms often hesitate after realizing the amount of information they have to yield to the Indian companies.


One of the Top 10 spammers in the world at the time of his arrest was sentenced to nine years in a Virginia prison under a law which came into effect two weeks before his arrest. Jeremy Jaynes made $750,000 per month sending out 10 million spam messages a day, according to prosecutors. The judge has deferred sentencing, pending an appeal.

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.


comments powered by Disqus

Subscribe on YouTube