COMMAND
MS Exchange (LDAP)
SYSTEMS AFFECTED
Win NT with MS Exchange Server 5.5
PROBLEM
ISS X-Force has discovered a buffer overflow exploit against
Microsoft Exchange's LDAP (Lightweight Directory Access Protocol)
server which allows read access to the Exchange server directory
by using an LDAP client. This buffer overflow consists of a
malformed bind request that overflows the buffer and can execute
arbitrary code. This attack can also cause the Exchange LDAP
service to crash. This vulnerability exists in Microsoft Exchange
Server version 5.5.
This exploit occurs during the LDAP binding process. Binding
involves logging in or authenticating to a directory, and consists
of sending a username, a password, and a binding method. There
are two methods in which to use this vulnerablility against an
Exchange server. The first consists of sending a particular type
of invalid LDAP bind packet which will cause an overflow to occur
this will cause the LDAP service to crash. The second uses a
large malformed LDAP bind packet that is carefully crafted to take
advantage of the buffer overflow and can be used to execute
arbitrary code. Customers who are using Exchange but who have
turned off LDAP support in the Directory Service are not at risk
from this vulnerability.
SOLUTION
Network administrators can protect internal systems from external
attack by adding a rule to a filtering router or firewall of the
type: Deny all incoming TCP packets with a destination port of
389. Microsoft highly recommends that customers evaluate the
degree of risk that this vulnerability poses to their systems and
determine whether to download and install the patch. The patch
can be found at:
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRI.EXE
ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRA.EXE