Microsoft Security Bulletin MS02-012

Technical description:

An SMTP service installs by default as part of Windows 2000 server products. Exchange 2000, which can only be installed on Windows 2000, uses the native Windows 2000 SMTP service rather than providing its own. In addition, Windows 2000 and Windows XP workstation products provide an SMTP service that is not installed by default. All of these implementations contain a flaw that could enable denial of service attacks to be mounted against the service.

The flaw involves how the service handles a particular type of SMTP command used to transfer the data that constitutes an incoming mail. By sending a malformed version of this command, an attacker could cause the SMTP service to fail. This would have the effect of disrupting mail services on the affected system, but would not cause the operating system itself to fail.

Mitigating factors:

• Windows XP Home Edition does not provide an SMTP service, and is not affected by the vulnerability.
• Windows 2000 Professional and Windows XP Professional do provide an SMTP service, but it is not installed by default.
• Windows 2000 server products do install the SMTP service by default. However, best practices recommend disabling any unneeded services, and systems on which the SMTP service had been disabled would not be at risk.
• Exchange 5.5, even if installed on a Windows 2000 server, is not affected by the vulnerability.
• The result of an attack would be limited to disrupting the SMTP service and, depending on the system configuration, potentially IIS and other internet services as well. However, it would not disrupt any other system functions.
• The vulnerability would not enable an attacker to gain any privileges on the affected system or to access users' email or data.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While a malicious user could cause the SMTP service to fail, he would not get system privileges nor would he have access to user information.

Vulnerability identifier: CAN-2002-0055

Tested Versions:

Microsoft tested Windows 2000, Windows NT® 4.0, Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. The SMTP services provided as part of Windows NT 4.0 and Exchange 5.5 are not affected by the vulnerability Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a specially malformed request to an affected system, an attacker could temporarily prevent it from providing mail services. The vulnerability would not enable the attacker to gain any privileges on the system, nor to read, send or delete any user's mail on the system.

What causes the vulnerability?
There is a flaw in how the SMTP service in Windows 2000 and Windows XP handles a particular type of data transfer command. Upon receiving a malformed version of this command, the service would fail, with the temporary loss of mail services

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821 and 2822 . The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails. An SMTP service is provided with Windows 2000 Server, Advanced Server and Datacenter Server, and installs by default The service is provided in Windows 2000 Professional, and Windows XP Professional, but doesn't install by default in either.

What's the relationship between the SMTP service and Exchange?
Different versions of Exchange have different relationships with the native SMTP service. Exchange 2000 (which can only be installed on Windows 2000), uses the native Windows 2000 SMTP service. In contrast, Exchange 5.5 provides its own SMTP service, regardless of what operating system it installs on.

What's wrong with the SMTP service in Windows 2000?
The SMTP service in Windows 2000 doesn't correctly handle a particular type of command that's used to transfer the data comprising an incoming mail. Upon receiving such a command, the service would fail.

What would this enable the attacker to do?
An attacker could use this vulnerability to disrupt the operation of mail services on an affected server.

How could an attacker exploit this vulnerability?
The attacker would need the establish a connection with the server and send data that purports to be an incoming mail for a user on the server. If the attacker included the command at issue here within that data, the SMTP service on the system would fail. The administrator could restore normal operation by restarting the SMTP service.

Could the attacker use this vulnerability to gain any privileges on the system, or to read users' mail?
No. The vulnerability only enables an attacker to cause the service to fail. There's no opportunity here to gain privileges or compromise data on the server.

The SMTP service is running on my server because I left it at the defaults. But the server isn't a mail server. What could an attacker do to my system?
The SMTP service runs as part of Inetinfo.exe, which provides a number of Internet-related services, including web hosting via IIS. If the SMTP service failed due to an attack, all of these services would likewise fail. However, they would automatically restart, and the attack would have no other effect on the system.

Does this vulnerability affect Windows XP systems?
Windows XP Professional includes an SMTP service, but it does not install by default. Unless it had been installed, the system would be at no risk. Windows XP Home Edition does not include an SMTP service, and such systems are therefore not at risk under any conditions.

Does this affect all Windows 2000 systems?
The SMTP service runs by default in all Windows 2000 server products. However, Microsoft always recommends reviewing the list of services and disabling any that aren't needed. If the SMTP service had been disabled, the system would not be at risk.
On the other hand, the SMTP service does not install by default on Windows 2000 Professional. Unless it had been installed, the system would be at no risk.

Does the vulnerability affect the SMTP service in Windows NT 4.0?
No.

Does the vulnerability affect the SMTP service in Exchange Server 5.5?
No. Exchange 5.5, even if installed on Windows 2000, uses its own SMTP service, which is not affected by the vulnerability

So, if I'm running Exchange 5.5 on Windows 2000, do I need to install the patch?
No.

Why isn't there a patch for Exchange 2000?
Exchange 2000 doesn't have its own SMTP service - instead, it uses the Windows 2000 SMTP service (and Windows 2000 is the only system Exchange 2000 can be installed on). The Windows 2000 patch eliminates the vulnerability on all Windows 2000 systems, even ones that have Exchange 2000 installed as well.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the Windows 2000 SMTP service properly responds to erroneous client protocol commands. In this way, an attacker who sent the malformed request could not cause the SMTP service to fail.

Is there a single Windows 2000 patch for MS02-011 and MS02-12?
Yes, the Windows 2000 patch for both MS02-011 and MS02-012 are the same.

Download locations for this patch

• Windows 2000 Server, Professional and Advanced Server

  http://www.microsoft.com/downloads/details.aspx?FamilyID=427a3b0a-ff47-4684-8aa3-127eb19eb848&DisplayLang=en

• Windows XP Professional:

  http://www.microsoft.com/downloads/details.aspx?FamilyID=fb8e8d24-02df-445a-9f9e-125852487465&DisplayLang=en