Re: [ISN] Microsoft Exchange hole "critical"

From: InfoSec News (isnat_private)
Date: Fri May 31 2002 - 05:08:13 PDT

  • Next message: InfoSec News: "[ISN] Japan space hackers nabbed for spying"

    Forwarded from: Saso Virag <sviragat_private>
    
    In message InfoSec News writes:
    
    >http://news.com.com/2100-1001-928055.html?tag=fd_top
    >
    >By David Becker 
    >Staff Writer, CNET News.com
    >May 29, 2002, 3:30 PM PT
    
    
    > Malformed messages created using RFC 821 and 822, versions of the
    > SMTP format commonly used by e-mail programs, can cause the CPU of
    > the server receiving the message to run at 100 percent as it
    > attempts to read the message.
    
    Funnily enough, RFC 821 defines SMTP and RFC 822 defines how an e-mail
    message must look. I wonder how e-mail servers would work if they
    didn't conform to those two - now obsoleted by RFC 2822 and 2821 -
    standards.
    
    > The result would be a denial-of-service attack, with the affected
    > server unable to do anything until it finishes processing the
    > message.
    
    This seems like a far bigger issue than Exchange not properly handling
    malformed SMTP headers.
    
    > "Once the process starts, you can't stop it," he said, adding that
    > it could take a server anywhere from a few seconds to a few hours to
    > process a message. "The key here is that once the system gets hold
    > of that message, it's got to deal with it."
    
    The key issue here is, that systems administrator can't manually
    override the process and perhaps manually correct the problem. Badly
    engineered software.
    
    > The bulletin noted that creating such messages would require
    > specialized knowledge and software, as common e-mail clients such as
    > Outlook are incapable of creating RFC 821 or 822 content.
    
    :-) Common mail clients MUST be capable of creating e-mail messages
    conforming to RFC 821 and 822.
    
    Specialized knowledge and software? Yes, you need to read RFCs
    mentioned above and grok them. You also need to have a telnet client.
    Hardly specialized knowledge and software, is it? RFC is public
    document and telnet clients come with _every_ MS OS after 1995 or so.
    
    > "You'd have to be fairly sophisticated," Budd said. "This is not
    > something where somebody opens an e-mail client, puts a few bad
    > characters in a message, and sends it. It would basically require
    > someone to know the language of SMTP."
    
    Wooo. It takes spe-cia-li-zed knowledge. FUD at it's best.
    
    > Microsoft urged system administrators to promptly patch any Exchange
    > 2000 servers.
    
    Patch for this particular vulnerability? How about another patch
    giving administrators means to manually take the wrench out of the
    works before it completely destroys everything?
    
    Cheers,
    
    Saso
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 31 2002 - 08:08:39 PDT