This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE2EB01A1CC1BE9BB42A6BF17 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Determina Security Research Exchange Calendar MODPROPS Denial of Service http://www.determina.com/security.research/vulnerabilities/exchange-ical-= modprops.html CVE ID: CVE-2007-0039 MS ID: MS07-026 Vendor notification: Dec 20, 2006 Vendor patch: May 8, 2007 Systems Affected: * Exchange 2000 * Exchange 2003 Overview: Determina Security Research has discovered a denial of service vulnerabil= ity in the code responsible for parsing iCal email attachments in Microsoft Exch= ange. This vulnerability can be exploited by a malicious email message and resu= lts in a denial of service. The vulnerable code is present in Exchange 2000 and = 2003. Microsoft fixed a related vulnerability with the MS06-019 security update= , but their fix introduced a new denial of service bug. Determina Security Rese= arch was able to develop a proof-of-concept exploit that works against fully-p= atched Exchange servers. Technical Details: The iCal file format is described in detail in RFC2445. The file consists= of a series of records, delimited by BEGIN and END tags. Each record can have multiple named properties. The iCal parser in Exchange maintains a table = of properties valid in the current context and switches to the appropriate t= able upon entering a new record. The X-MICROSOFT-CDO-MODPROPS property is an undocumented Microsoft extens= ion which allows the iCal file to specify a list of properties that are consi= dered valid in a specific record. All other properties will be ignored by Excha= nge. The following example shows a typical usage of this feature: BEGIN:VEVENT X-MICROSOFT-CDO-MODPROPS:BEGIN,DTEND,DTSTART,END DTSTART:19970714T170000Z DTEND:19970715T035959Z SUMMARY:Bastille Day Party END:VEVENT In this example, the SUMMARY property will not be processed by Exchange. When the parser encounters the MODPROPS property, it calls CICalSchema::AllocPropTables to allocate a new table of valid properties.= The pointer to the new table is stored in this->field_F0 and the list of vali= d properties is copied into the table. If there is a second MODPROPS proper= ty, the function will be called again and will reuse the previousely allocated ta= ble. If the second MODPROPS element is longer than the first one, the copy loop w= ill write past the end of the table. This vulnerability was fixed in MS06-019 by adding a call to CICalSchema::FreePropTables in the beginning of the AllocPropTables funct= ion. This ensures that the previous property table is freed and AllocPropTable= s allocates a new one of sufficient size. Unfortunately, FreePropTables also sets the this->field_28 pointer to NUL= L. The NULL pointer is later used in a memcpy operation in AllocPropTables and c= auses an unhandled exception, resulting in a crash of Exchange. // Allocate a new property table int CICalSchema::AllocPropTables(arg_0, arg_4) { this->FreePropTables(); ... // Allocate space for the new table if (this->field_F0 =3D=3D NULL) this->field_F0 =3D new(vector_size*16); ... // NULL pointer dereference of this->field_28 memcpy(&this->field_F4[offset_F4], &this->field_28[index*20], 20); } // Free the property table void CICalSchema::FreePropTables() { if (this->field_F0 !=3D NULL) { ... ExFree(this->field_F0); this->field_F0 =3D NULL; } if (this->field_F4 !=3D NULL) { if (this->field_28 =3D=3D this->field_F4) { this->field_28 =3D NULL; // set this->field_28 to NULL this->field_1C =3D 0; } ExFree(this->field_F4); this->field_F4 =3D NULL; } ... } Protection: Determina VPS Server protects against the exploitation of this vulnerabil= ity. Vendor response: Microsoft issued the MS07-026 patch on May 8, 2007. Credit: Discovery: Alexander Sotirov, Determina Security Research --------------enigE2EB01A1CC1BE9BB42A6BF17 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQQE+TS+0yyhMJeMRAuiiAJ9VbB32sSnb9SwAsjRzdbG6M48djwCfeV2i XFjRqoPP7AJGrjm1ECc0TUc= =wYQA -----END PGP SIGNATURE----- --------------enigE2EB01A1CC1BE9BB42A6BF17--