The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in the Microsoft Collaboration Data Objects Allows Remote
Code Execution (MS05-048)
------------------------------------------------------------------------
SUMMARY
A remote code execution vulnerability exists in Collaboration Data Objects
that could allow an attacker who successfully exploited this vulnerability
to take complete control of the affected system.
DETAILS
Affected Software:
* Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AE0BA6D7-37AF-46E8-9E25-AB63883FA944>
Download the update (KB901017)
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E0DAF2D1-656C-4580-94C1-8AB009B4AD4F>
Download the update (KB901017)
* Microsoft Windows XP Professional x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D389EF4D-583D-41C0-9081-844D348F3817>
Download the update (KB901017)
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1BC06799-B9F5-416F-8965-DC0E07A24A29>
Download the update (KB901017)
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=956FFD90-60AF-4296-8765-F0A17A77DB77>
Download the update (KB901017)
* Microsoft Windows Server 2003 x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5504C410-CDCB-4826-B002-DBA0E3A402A4>
Download the update (KB901017)
* Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000
Post-Service Pack 3 Update Rollup of August 2004 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=60FD0DDC-04B7-4879-930B-53375823CD51>
Download the update (KB906780)
Non-Affected Software:
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
* Microsoft Exchange Server 5.5
* Microsoft Exchange Server 2003
* Microsoft Exchange Server 2003 Service Pack 1
For more information about Exchange 2000 Server Post-Service Pack 3 Update
Rollup see Microsoft Knowledge Base Article
<http://support.microsoft.com/kb/870540> 870540.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987>
CAN-2005-1987
Mitigating Factors for Collaboration Data Objects Vulnerability:
* By default, Microsoft Internet Information Services (IIS) 5.0 Simple
Mail Transfer Protocol (SMTP) and the Exchange 2000 Server SMTP service do
not use the event sinks, which use the Cdosys.dll file and the Codex.dll
file.
* By default, IIS 6.0 is not enabled on Windows Server 2003.
* IIS 6.0, when enabled, does not enable SMTP by default.
Workarounds for Collaboration Data Objects Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.
* Disable all event sinks that are enabled on Exchange 2000 Server and on
servers that are running IIS:
Disabling all event sinks will help protect the affected system from
attempts to exploit this vulnerability. To disable the any custom or
third-party event sinks, follow these steps:
1. Use the cscript.exe smtpreg.vbs /enum command-line command to enumerate
all the registered event sinks. Examine the output of this command and
look for custom or non-Microsoft software event sink entries.
2. After you identify the event sink that you want to disable, run the
following command at a command prompt:
cscript.exe smtpreg.vbs /disable
Impact of Workaround: The custom or third-party application that has
created the event sink in the SMTP service will not work correctly until
the event sink is re-enabled.
* Unregister the Cdoex.dll file and the Cdosys.dll file on Exchange 2000
Server and unregister the Cdosys.dll file on servers that are running IIS:
* Unregistering the Cdoex.dll file and the Cdosys.dll file helps protect
the affected system from attempts to exploit this vulnerability.
To disable the Cdoex.dll file and the Cdosys.dll file for Exchange 2000
Server, follow these steps.
Important You must follow these steps in the following order.
1. Run the following command at a command prompt:
Regsvr32.exe C:\Program Files\Common Files\Microsoft Shared\CDO\cdoex.dll
/u
2. Run the following command at a command prompt:
Regsvr32.exe %windir%\system32\cdosys.dll /u
To disable the Cdosys.dll file for servers that are running IIS, type the
following command at a command prompt:
1. Regsvr32.exe %windir%\system32\cdosys.dll /u
Impact of Workaround: Unregistering COM objects breaks programs that
depend on the Cdosys.dll file or the Cdoex.dll file.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.
What causes the vulnerability?
An unchecked buffer in Collaboration Data Objects (CDO).
What is Collaboration Data Objects?
Collaboration Data Objects (CDO) is a Component Object Model (COM)
component designed to, among other functions, make it easier to write
programs that create or change Internet mail messages.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.
Who could exploit the vulnerability?
On Microsoft Windows or Microsoft Exchange 2000 Server, any anonymous user
who could deliver a specially crafted message to the affected system could
try to exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could attempt to exploit the vulnerability by creating a
specially crafted message that would be processed by CDOSYS or CDOEX on an
affected system. This message would most commonly be delivered through
SMTP.
What systems are primarily at risk from the vulnerability?
Microsoft Windows and Microsoft Exchange 2000 are primarily at risk from
this vulnerability if applications that call functions in CDOSYS or CDOEX
are used to process messages.
What does the update do?
The update removes the vulnerability by modifying the way that CDO
validates the length of a message before it passes the message to the
allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
