Signature Detail

SMTP: Microsoft Exchange Malformed Intra-Exchange Verb

This signature detects attempts to exploit a known vulnerability in Microsoft Exchange Server 5.5 and 2000. It is due to the command verb "Xexch50," which is valid only for communication between validated Exchange servers, is handled incorrectly. Attackers can send the command verb with a negative number or a very large positive number to crash the Exchange server, and, in extreme cases with Exchange Server 2000, can also take control of the server.

Extended Description

Microsoft has announced that Exchange Server is affected by a remotely exploitable buffer overflow condition. The overflow can be triggered remotely by unauthenticated SMTP clients. The source of the issue appears to be in how the XEXCH50 verb is handled by the server. Microsoft has stated that remote code execution is possible on hosts running Exchange 2000 Server. Servers running Exchange Server 5.0 and 5.5 are vulnerable to a denial of service attack.

Affected Products

• Microsoft Exchange Server 5.0
• Microsoft Exchange Server 5.0 SP1
• Microsoft Exchange Server 5.0 SP2
• Microsoft Exchange Server 5.5
• Microsoft Exchange Server 5.5 SP1
• Microsoft Exchange Server 5.5 SP2
• Microsoft Exchange Server 5.5 SP3
• Microsoft Exchange Server 5.5 SP4
• Microsoft Exchange Server 2000 SP1
• Microsoft Exchange Server 2000 SP2
• Microsoft Exchange Server 2000 SP3
• Microsoft Exchange Server 2000 SP3
• Microsoft Exchange Server 2000

References

• BugTraq: 8838
• CERT: CA-2003-27
• CVE: CVE-2003-0714
• URL: http://www.microsoft.com/technet/security/bulletin/MS03-046.asp