Re: Microsoft Exchange hole "critical"

[InfoSec News <isn () c4i org>]

Forwarded from: Saso Virag <svirag () aspac uu net>

In message InfoSec News writes:

> http://news.com.com/2100-1001-928055.html?tag=fd_top
>
> By David Becker 
> Staff Writer, CNET News.com
> May 29, 2002, 3:30 PM PT


> Malformed messages created using RFC 821 and 822, versions of the
> SMTP format commonly used by e-mail programs, can cause the CPU of
> the server receiving the message to run at 100 percent as it
> attempts to read the message.

Funnily enough, RFC 821 defines SMTP and RFC 822 defines how an e-mail
message must look. I wonder how e-mail servers would work if they
didn't conform to those two - now obsoleted by RFC 2822 and 2821 -
standards.

> The result would be a denial-of-service attack, with the affected
> server unable to do anything until it finishes processing the
> message.

This seems like a far bigger issue than Exchange not properly handling
malformed SMTP headers.

> "Once the process starts, you can't stop it," he said, adding that
> it could take a server anywhere from a few seconds to a few hours to
> process a message. "The key here is that once the system gets hold
> of that message, it's got to deal with it."

The key issue here is, that systems administrator can't manually
override the process and perhaps manually correct the problem. Badly
engineered software.

> The bulletin noted that creating such messages would require
> specialized knowledge and software, as common e-mail clients such as
> Outlook are incapable of creating RFC 821 or 822 content.

:-) Common mail clients MUST be capable of creating e-mail messages
conforming to RFC 821 and 822.

Specialized knowledge and software? Yes, you need to read RFCs
mentioned above and grok them. You also need to have a telnet client.
Hardly specialized knowledge and software, is it? RFC is public
document and telnet clients come with _every_ MS OS after 1995 or so.

> "You'd have to be fairly sophisticated," Budd said. "This is not
> something where somebody opens an e-mail client, puts a few bad
> characters in a message, and sends it. It would basically require
> someone to know the language of SMTP."

Wooo. It takes spe-cia-li-zed knowledge. FUD at it's best.

> Microsoft urged system administrators to promptly patch any Exchange
> 2000 servers.

Patch for this particular vulnerability? How about another patch
giving administrators means to manually take the wrench out of the
works before it completely destroys everything?

Cheers,

Saso



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.