FOCUS on Microsoft: Patching Exchange Server
SecurityFocus 2001-08-23

Patching Exchange
by Security Focus

Using Hfnetchk

Exchange 2000

Install SP2 for Windows 2000, then apply the following fixes:

Exchange 2000 Server Post-RTM RPC Fixes
Q304063engi386.exe
Exchange Server 2000
Bugtraq ID
3104
Q304063 
File name        Version       Platform
---------------------------------------
Emsmta.exe       6.0.4418.86   x86
Srsmain.exe      6.0.4419.06   x86

There is an inconsistency between the interface definitions in certain RPC server stubs and the remote server's input validation code.

If certain input is validated by the interface definition, there is a chance that the target server will not properly validate the input. Thus, possibly impacting the server's performance and other applications running on the affected host.

The RPC servers associated with system services in Exchange, SQL, Windows NT 4.0 and Windows 2000 are subject to this issue.

Incorrect Attachment Processing in Exchange 2000 Outlook Web Access Can Run Script
Q299535i386.exe
Exchange Server 2000
Bugtraq ID
2832
Q299535 
File name        Version       Platform
---------------------------------------
Davex.dll        6.0.4419.27   x86
Excdo.dll        6.0.4419.27   x86
Exoledb.dll      6.0.4419.27   x86
Exprox.dll       6.0.4419.27   x86
Mdbsz.dll        6.0.4419.27   x86
Store.exe        6.0.4419.27   x86

Because of a flaw in the interaction between Outlook Web Access (OWA) and Internet Explorer, it is possible for an email attachment to be executed without prompting the user first.

If an email attachment is received by a user (using OWA and IE to retrieve mail), the attachment could be executed without prompting the user with a dialogue requesting the selection of the appropriate application to view the file. Therefore, an HTML attachment containing a script will run without the user's knowledge.

Malformed URL can Cause Service Failure in IIS 5.0 and Exchange 2000
Q287678engi386.exe
Exchange Server 2000
Bugtraq ID
2441
Q287678 
File name        Version       Platform
---------------------------------------
Davex.dll        6.0.4418.54   x86

Microsoft Exchange is subject to a denial of service condition due to the handling of web client requests. If an authenticated user requests a specially crafted URL multiple times to the host running Exchange, the web based mail service could stop responding. A restart of the service is required in order to gain normal functionality.

Microsoft Exchange 2000 Server EUSR_EXSTOREEVENT Account Vulnerability
Q278523ENGI.exe
Exchange Server 2000
Bugtraq ID
1958
Q278523

During the installation of Exchange 2000 Server, the user account EUSR_EXSTOREEVENT is automatically created. It is assigned a simple hard coded password and the privilege level the account possesses depends on what type of server Exchange is installed on. If Exchange is installed on a member server, the EUSR_EXSTOREEVENT would have the same privileges equivalent to a normal local user. However, if it is installed on a domain controller, the account would possess Domain User rights which would heighten the impact a malicious user may have because their actions may span across an entire domain.

A remote intruder could log onto Exchange 2000 Server if they were aware of the username and password. Successful exploitation would grant the user access to files that the EUSR_EXSTOREEVENT account had read, write, and execute permissions to. The malicious user may also install other programs or exploit other vulnerabilities in order to aid them in escalating their privilege level.

Q278523ENG.exe does not prevent this behaviour, it only deletes the account from member servers or Active Directory.

Exchange 5.5

NOTE: Information presented on this page is relevant to US-English Intel versions of Windows NT 4.0

Install SP6a for NT, apply the Post-SP6a Security Rollup, then apply the following fixes:

Obtain and install Exchange Service Pack 4. Service Pack 4 can be downloaded from http://www.microsoft.com/exchange/downloads/55/sp4dl_en.asp.
The following Post-SP4 hotfixes then need to be installed:

Microsoft Exchange OWA Global Address List Disclosure Vulnerability
Q307195engi386.EXE
Exchange Server 5.5
Bugtraq ID
3301
Q307195 
File name    Version 
--------------------
Fumsg.asp    NA
Microsoft Exchange enables users to access their inboxes and other various resources located in the Web Storage System. Outlook Web Access (OWA) enables user's to remotely access these resources via a URL. OWA ships with Microsoft Exchange by default.

Due to a flaw in a component (fumsg.asp) of OWA, it is possible for unauthorized user's to gain read access to the Global Address List.

Typically when performing a Find Users request, the user interface gathers the necessary information required to complete the search request. This includes confirming that the user making the request has successfully authenticated to the server. Once the information is gathered and confirmed, the user interface calls a back end function (fumsg.asp) to carry out the request. However due to the flaw in OWA, an unauthenticated user can make a search request directly to the back end function (fumsg.asp), circumventing authentication to the Exchange server.

If successfully exploited, a user could gain read access to the enitre Global Address List. Knowledge of this information could assist in further attacks against the target host. Specifically, this information could be used to spam users on the host.

Exchange Server 5.5 Post-SP4 RPC Fixes
Q304062engi386.exe
Exchange Server 5.5
Bugtraq ID
3104
Q304062 
File name        Version       Platform
---------------------------------------
Dbserver.sch     5.5.2654.50   x86
Dcprods.cat      5.5.2654.50   x86
Dsamain.exe      5.5.2654.48   x86
Ems_rid.dll      5.5.2654.50   x86
Emsmta.exe       5.5.2654.50   x86
Infoplog.cfg     5.5.2654.50   x86
Mad.exe          5.5.2654.51   x86
Mtacheck.exe     5.5.2654.50   x86
Mtamsg.dll       5.5.2654.50   x86
Mtaperf.dll      5.5.2654.50   x86
P2.xv2           5.5.2654.50   x86
P42.tpl          5.5.2654.50   x86
P772.tpl         5.5.2654.50   x86
Store.exe        5.5.2654.50   x86
X400om.dll       5.5.2654.50   x86
Eseback.dll      5.5.2654.51   x86

There is an inconsistency between the interface definitions in certain RPC server stubs and the remote server's input validation code.

If certain input is validated by the interface definition, there is a chance that the target server will not properly validate the input. Thus, possibly impacting the server's performance and other applications running on the affected host.

The RPC servers associated with system services in Exchange, SQL, Windows NT 4.0 and Windows 2000 are subject to this issue.

Incorrect Attachment Processing in Exchange Server 5.5 Outlook Web Access Can Run Script
Q301361i386.exe
Exchange Server 5.5
Bugtraq ID
2832
Q301361 
File name        Version       Platform
---------------------------------------
Davex.dll        6.0.4419.27   x86
Excdo.dll        6.0.4419.27   x86
Exoledb.dll      6.0.4419.27   x86
Exprox.dll       6.0.4419.27   x86
Mdbsz.dll        6.0.4419.27   x86
Store.exe        6.0.4419.27   x86

Because of a flaw in the interaction between Outlook Web Access (OWA) and Internet Explorer, it is possible for an email attachment to be executed without prompting the user first.

If an email attachment is received by a user (using OWA and IE to retrieve mail), the attachment could be executed without prompting the user with a dialogue requesting the selection of the appropriate application to view the file. Therefore, an HTML attachment containing a script will run without the user's knowledge.


Relevant Links

 Microsoft Network Security Hotfix Checker Tool
Microsoft

Microsoft Exchange Server Homepage
Microsoft

Subscribe to the Microsoft Security Notification Service
Microsoft

Tips for Securely Connecting Your Exchange Server to the Internet White Paper
Microsoft

Latest Exchange Service Packs and Hotfixes
Microsoft

Privacy Statement
Copyright 2006, SecurityFocus