Security Bulletin

Microsoft Security Bulletin MS02-012 - Low

Malformed Data Transfer Request can Cause Windows SMTP Service to Fail

Published: February 27, 2002 | Updated: May 09, 2003

Version: 2.1

Originally posted: February 27, 2002
Updated: May 09, 2003

Summary

Who should read this bulletin: Customers using Microsoft® Windows® 2000 Server and Professional, Windows XP Professional and Exchange Server 2000

Impact of vulnerability: Denial of Service

Maximum Severity Rating: Low

Recommendation: Customers who need the Windows 2000 SMTP services should apply the patch; all others should disable the SMTP service.

Affected Software:

  • Microsoft Windows 2000
  • Microsoft Windows XP Professional
  • Microsoft Exchange 2000

General Information

Technical details

Technical description:

An SMTP service installs by default as part of Windows 2000 server products. Exchange 2000, which can only be installed on Windows 2000, uses the native Windows 2000 SMTP service rather than providing its own. In addition, Windows 2000 and Windows XP workstation products provide an SMTP service that is not installed by default. All of these implementations contain a flaw that could enable denial of service attacks to be mounted against the service.

The flaw involves how the service handles a particular type of SMTP command used to transfer the data that constitutes an incoming mail. By sending a malformed version of this command, an attacker could cause the SMTP service to fail. This would have the effect of disrupting mail services on the affected system, but would not cause the operating system itself to fail.

Mitigating factors:

  • Windows XP Home Edition does not provide an SMTP service, and is not affected by the vulnerability.
  • Windows 2000 Professional and Windows XP Professional do provide an SMTP service, but it is not installed by default.
  • Windows 2000 server products do install the SMTP service by default. However, best practices recommend disabling any unneeded services, and systems on which the SMTP service had been disabled would not be at risk.
  • Exchange 5.5, even if installed on a Windows 2000 server, is not affected by the vulnerability.
  • The result of an attack would be limited to disrupting the SMTP service and, depending on the system configuration, potentially IIS and other internet services as well. However, it would not disrupt any other system functions.
  • The vulnerability would not enable an attacker to gain any privileges on the affected system or to access users' email or data.

Severity Rating:

Internet Servers Intranet Servers Client Systems
Windows 2000 Low Low Low
Windows XP Home Edition None None None
Windows XP Professional None None Low
Exchange 2000 Low Low None

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. While a malicious user could cause the SMTP service to fail, he would not get system privileges nor would he have access to user information.

Vulnerability identifier: CAN-2002-0055

Tested Versions:

Microsoft tested Windows 2000, Windows NT® 4.0, Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. The SMTP services provided as part of Windows NT 4.0 and Exchange 5.5 are not affected by the vulnerability Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a specially malformed request to an affected system, an attacker could temporarily prevent it from providing mail services. The vulnerability would not enable the attacker to gain any privileges on the system, nor to read, send or delete any user's mail on the system.

What causes the vulnerability?
There is a flaw in how the SMTP service in Windows 2000 and Windows XP handles a particular type of data transfer command. Upon receiving a malformed version of this command, the service would fail, with the temporary loss of mail services

What is SMTP?
SMTP (Simple Mail Transfer Protocol) is an industry standard for delivery of mail via the Internet, defined in RFCs 2821and 2822. The protocol defines the format of mail messages, the fields in them and their contents, and the handling procedures for mails. An SMTP service is provided with Windows 2000 Server, Advanced Server and Datacenter Server, and installs by default The service is provided in Windows 2000 Professional, and Windows XP Professional, but doesn't install by default in either.

What's the relationship between the SMTP service and Exchange?
Different versions of Exchange have different relationships with the native SMTP service. Exchange 2000 (which can only be installed on Windows 2000), uses the native Windows 2000 SMTP service. In contrast, Exchange 5.5 provides its own SMTP service, regardless of what operating system it installs on.

What's wrong with the SMTP service in Windows 2000?
The SMTP service in Windows 2000 doesn't correctly handle a particular type of command that's used to transfer the data comprising an incoming mail. Upon receiving such a command, the service would fail.

What would this enable the attacker to do?
An attacker could use this vulnerability to disrupt the operation of mail services on an affected server.

How could an attacker exploit this vulnerability?
The attacker would need the establish a connection with the server and send data that purports to be an incoming mail for a user on the server. If the attacker included the command at issue here within that data, the SMTP service on the system would fail. The administrator could restore normal operation by restarting the SMTP service.

Could the attacker use this vulnerability to gain any privileges on the system, or to read users' mail?
No. The vulnerability only enables an attacker to cause the service to fail. There's no opportunity here to gain privileges or compromise data on the server.

The SMTP service is running on my server because I left it at the defaults. But the server isn't a mail server. What could an attacker do to my system?
The SMTP service runs as part of Inetinfo.exe, which provides a number of Internet-related services, including web hosting via IIS. If the SMTP service failed due to an attack, all of these services would likewise fail. However, they would automatically restart, and the attack would have no other effect on the system.

Does this vulnerability affect Windows XP systems?
Windows XP Professional includes an SMTP service, but it does not install by default. Unless it had been installed, the system would be at no risk. Windows XP Home Edition does not include an SMTP service, and such systems are therefore not at risk under any conditions.

Does this affect all Windows 2000 systems?
The SMTP service runs by default in all Windows 2000 server products. However, Microsoft always recommends reviewing the list of services and disabling any that aren't needed. If the SMTP service had been disabled, the system would not be at risk. On the other hand, the SMTP service does not install by default on Windows 2000 Professional. Unless it had been installed, the system would be at no risk.

Does the vulnerability affect the SMTP service in Windows NT 4.0?
No.

Does the vulnerability affect the SMTP service in Exchange Server 5.5?
No. Exchange 5.5, even if installed on Windows 2000, uses its own SMTP service, which is not affected by the vulnerability

So, if I'm running Exchange 5.5 on Windows 2000, do I need to install the patch?
No.

Why isn't there a patch for Exchange 2000?
Exchange 2000 doesn't have its own SMTP service - instead, it uses the Windows 2000 SMTP service (and Windows 2000 is the only system Exchange 2000 can be installed on). The Windows 2000 patch eliminates the vulnerability on all Windows 2000 systems, even ones that have Exchange 2000 installed as well.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the Windows 2000 SMTP service properly responds to erroneous client protocol commands. In this way, an attacker who sent the malformed request could not cause the SMTP service to fail.

Is there a single Windows 2000 patch for MS02-011 and MS02-12?
Yes, the Windows 2000 patch for both MS02-011and MS02-012are the same.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 and the Windows XP patch can be installed on Windows XP Professional Gold.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3 and Windows XP Professional Service Pack 1.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

Windows 2000:

  • To verify that the patch has been installed, confirm that the following registry key has been created on the machine:

    HKLM\Software\Microsoft\Updates\Windows 2000\SP3\Q313450.

  • To verify the individual files, use the date/time and version information provided in the following registry key:

    HKLM\Software\Microsoft\Updates\Windows 2000\SP3\Q313450\Filelist

Windows XP:

  • To verify that the patch has been installed, confirm that the following registry key has been created on the machine:

    HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q313450

  • To verify the individual files, use the date/time and version information provided in the following registry key:

    HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q313450\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available and can be found at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks H D Moore for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q313450 discusses this issue and is currently available. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (February 27, 2002): Bulletin Created.
  • V2.0 (March 12, 2002): Updated to reflect that the Windows 2000 patch for MS02-011 and MS02-012 are the same.
  • V2.1 (May 09, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00