Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
MS06-019, CVE-2006-0027

Exchange admins you will have your hands full, especially if you are running your own RIM/Blackberry Enterprise Server.  Please read the earlier entry by Johannes for details on the "gotcha" there.  This vulnerability allows for remote code execution and is critical that it be patched.  Here are the details as reported by Microsoft:

Maximum Severity Rating: Critical

Affected software:
  • Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540)
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
Work Arounds:
Micosoft recommends two work arounds for this vulnerability.  Keep in mind that these work arounds can break other required functionality and cause you lots of pain.  Patching is the recommended solution.

1.  Require authentication for connections to a server that is running Microsoft Exchange Server for all client and message transport protocols.

2.  Block iCal/vCal on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail.

Vulnerability Details:
EXCDO and CDOEX functionality provided with Exchange server does not properly process certain iCAL and vCAL properties provided in email messages.  Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) are interfaces that allow for certain types of information to be processed in the Exchange store. Virtual Calendar (vCAL)  and Internet Calendar (iCAL) is a MIME content type used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling.

In short, when the exchanger server receives a message that contains specially crafted properties for vCAL and iCAL, it allows for execution of code on the exchange server.


165 Posts
ISC Handler
May 9th 2006

Sign Up for Free or Log In to start participating in the conversation!