|
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE2EB01A1CC1BE9BB42A6BF17
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Determina Security Research
Exchange Calendar MODPROPS Denial of Service
http://www.determina.com/security.research/vulnerabilities/exchange-ical-modprops.html
CVE ID: CVE-2007-0039
MS ID: MS07-026
Vendor notification: Dec 20, 2006
Vendor patch: May 8, 2007
Systems Affected:
* Exchange 2000
* Exchange 2003
Overview:
Determina Security Research has discovered a denial of service vulnerability in
the code responsible for parsing iCal email attachments in Microsoft Exchange.
This vulnerability can be exploited by a malicious email message and results in
a denial of service. The vulnerable code is present in Exchange 2000 and 2003.
Microsoft fixed a related vulnerability with the MS06-019 security update, but
their fix introduced a new denial of service bug. Determina Security Research
was able to develop a proof-of-concept exploit that works against fully-patched
Exchange servers.
Technical Details:
The iCal file format is described in detail in RFC2445. The file consists of a
series of records, delimited by BEGIN and END tags. Each record can have
multiple named properties. The iCal parser in Exchange maintains a table of
properties valid in the current context and switches to the appropriate table
upon entering a new record.
The X-MICROSOFT-CDO-MODPROPS property is an undocumented Microsoft extension
which allows the iCal file to specify a list of properties that are considered
valid in a specific record. All other properties will be ignored by Exchange.
The following example shows a typical usage of this feature:
BEGIN:VEVENT
X-MICROSOFT-CDO-MODPROPS:BEGIN,DTEND,DTSTART,END
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
In this example, the SUMMARY property will not be processed by Exchange.
When the parser encounters the MODPROPS property, it calls
CICalSchema::AllocPropTables to allocate a new table of valid properties. The
pointer to the new table is stored in this->field_F0 and the list of valid
properties is copied into the table. If there is a second MODPROPS property, the
function will be called again and will reuse the previousely allocated table. If
the second MODPROPS element is longer than the first one, the copy loop will
write past the end of the table.
This vulnerability was fixed in MS06-019 by adding a call to
CICalSchema::FreePropTables in the beginning of the AllocPropTables function.
This ensures that the previous property table is freed and AllocPropTables
allocates a new one of sufficient size.
Unfortunately, FreePropTables also sets the this->field_28 pointer to NULL. The
NULL pointer is later used in a memcpy operation in AllocPropTables and causes
an unhandled exception, resulting in a crash of Exchange.
// Allocate a new property table
int CICalSchema::AllocPropTables(arg_0, arg_4)
{
this->FreePropTables();
...
// Allocate space for the new table
if (this->field_F0 == NULL)
this->field_F0 = new(vector_size*16);
...
// NULL pointer dereference of this->field_28
memcpy(&this->field_F4[offset_F4], &this->field_28[index*20], 20);
}
// Free the property table
void CICalSchema::FreePropTables()
{
if (this->field_F0 != NULL) {
...
ExFree(this->field_F0);
this->field_F0 = NULL;
}
if (this->field_F4 != NULL) {
if (this->field_28 == this->field_F4) {
this->field_28 = NULL; // set this->field_28 to NULL
this->field_1C = 0;
}
ExFree(this->field_F4);
this->field_F4 = NULL;
}
...
}
Protection:
Determina VPS Server protects against the exploitation of this vulnerability.
Vendor response:
Microsoft issued the MS07-026 patch on May 8, 2007.
Credit:
Discovery: Alexander Sotirov, Determina Security Research
--------------enigE2EB01A1CC1BE9BB42A6BF17
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGQQE+TS+0yyhMJeMRAuiiAJ9VbB32sSnb9SwAsjRzdbG6M48djwCfeV2i
XFjRqoPP7AJGrjm1ECc0TUc=wYQA
-----END PGP SIGNATURE-----
--------------enigE2EB01A1CC1BE9BB42A6BF17--