Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

A Vulnerability in Windows Server 2003 Mail Server Component Could Allow Remote Code Execution (MS04-035)

Attack ID: CPAI-2004-49
Publish Date:
Last Update:
Category: Remote Code Execution Vulnerabilities
Vulnerable Systems: Microsoft Windows XP 64 Bit Edition Version 2003;
Microsoft Windows Server 2003;
Microsoft Windows Server 2003 64-Bit Edition;
Microsoft Exchange Server 2003 and Microsoft Exchange Server SP1 when installed on Microsoft Windows Server 2003 (uses the Windows 2003 SMTP component);
Microsoft Exchange Server 2003 when installed on Microsoft Windows 2000 SP3 or Microsoft Windows 2000 SP4

 
Source:

Microsoft Security Bulletin MS04-035
Description:

A remote code execution vulnerability exists in the Windows Server 2003 mail server component because of the way that it handles DNS response messages sent over TCP. The mail server component provided with the affected software (Windows Server 2003 and Windows XP) is heavily dependent upon the Domain Name System (DNS) naming resolution system to deliver mail to a remote user. When the mail server component receives a malicious DNS reply message, it may crash or execute arbitrary code.
Severity:
Details:

The Microsoft Windows Server 2003 SMTP component installed on Windows XP and Windows Server 2003 does not properly process DNS lookup responses. The vulnerability is caused by an unchecked buffer in the Windows SMTP component and in the Exchange Routing Engine component. A remote user with control over a DNS server or with the ability to spoof a DNS server can have the DNS server provide a specially crafted lookup response to the target system to execute arbitrary code on the target system. This code will run with System level privileges. The vulnerability occurs only when DNS reply messages are sent over TCP.  

An attacker who successfully exploited this vulnerability could take complete control of the affected system or could cause the SMTP component, and other services that are hosted by Internet Information Services on the same system, to repeatedly fail.
Attack Detection:

Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect who have performed the Update outlined below, will be able to identify this attack by the following logging entries:

Users of R55:

Users of R55 will receive rule numbers 99653 and 99654 on their log viewer.
Rule 99653 - Excessive number of Resource Records detected in reply
Rule 99654 - DNS over TCP reply packet too short.

Logs for R55W and InterSpect:

Attack Name: DNS Enforcement Violation
Attack Information may vary:   

  • Resource Records Enforcement - Excessive number of Resource Records detected in reply
  • Resource Records Enforcement - Excessive number of Authority Resource Records detected in reply
  • Resource Records Enforcement - Excessive number of Additional Resource Records detected in reply
  • Resource Records Enforcement - DNS over TCP reply packet too short
Solution:

Users of VPN-1 NG with Application Intelligence R55 and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window.

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window.

The Update adds a new leaf under the SmartDefense DNS branch (see image below). The new protection, Resource Records Enforcement, provides the ability to set maximum values for Answer, Authority and Additional Resource Records (RR) allowed in a reply for a DNS query sent over TCP. The new Resource Records Enforcement protection has been added on the SmartDefense navigation tree, under Application Intelligence > DNS.

The suggested default number is 20: 
Industry Reference:
Additional Information:

CAN-2004-0840