Microsoft Exchange Server includes a component called Internet Mail Connector (IMC) that allows an Exchange server to communicate with remote SMTP servers. A vulnerability exists in this component that may allow for remote attackers to execute arbitrary code on Exchange servers under specific circumstances. The exploitable condition occurs when the affected server is generating a response to a Extended Hello (EHLO) SMTP command received from a remote server. An unbounded string creation routine (likely sprintf()) is used to construct the response string in memory. As externally supplied data is included in the construction of this string, the unbounded string creation may be exploited to overwrite stack memory and execute arbitrary code. The external data included in the string is obtained through a reverse lookup. To exploit this vulnerability, an attacker would require authority over his address space and map a PTR hostname of excessive length to the attacking IP address....
Microsoft Exchange Server includes a component called Internet Mail Connector (IMC) that allows an Exchange server to communicate with remote SMTP servers. A vulnerability exists in this component that may allow for remote attackers to execute arbitrary code on Exchange servers under specific circumstances. The exploitable condition occurs when the affected server is generating a response to a Extended Hello (EHLO) SMTP command received from a remote server. An unbounded string creation routine (likely sprintf()) is used to construct the response string in memory. As externally supplied data is included in the construction of this string, the unbounded string creation may be exploited to overwrite stack memory and execute arbitrary code. The external data included in the string is obtained through a reverse lookup. To exploit this vulnerability, an attacker would require authority over his address space and map a PTR hostname of excessive length to the attacking IP address. Furthermore, a replacement return address and possibly shellcode would also be embedded. These specific circumstances complicate exploitability and make real-world attacks unlikely. Theoretically, the vulnerability is exploitable and administrators are advised to apply the patch as soon as possible.
