Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: MS05-048 CDO Object Remote Code Execution SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS05-048 CDO Object Remote Code Execution
MS05-048

KB: Win2K SP4 - KB901017, WinXP SP1/SP2 - KB901017, Win2K3 - KB901017
CVE: CAN-2005-1987

Colloborative Data Objects (CDO) allow Windows systems to send email through SMTP or a Microsoft Exchange server.  An unchecked buffer in the CDO functions for Windows 2000 and later systems (CDOSYS) and in Microsoft Exchange servers (CDOEX) allows an attacker to compromise the target host.  In order to trigger this vulnerability, an attacker has to deliver a specially-crafted mail message via SMTP which is processed by the event sink handling subsystem, designed for granular processing of CDO messages.

The mitigating circumstance for this vulnerability is that IIS 5.0 and Exchange 2000 SMTP service do not use event sinks by default, which mitigates the vulnerability.  IIS 6.0 SMTP service does use event sinks and is therefore vulnerable, but IIS 6 does not install the SMTP service by default.  There is some confusion in the Microsoft bulletin about Exchange 2003 as it is listed as both "not vulnerable" and in the "affected software" sections of the bulletin.

The challenge with determining if your IIS SMTP service or Exchange 2000 system is vulnerabile depends on whether or not you are using event sinks on your system.  Third-party software vendors such as SPAM gateways or anti-virus systems may install event sinks to process email messages, making these products vulnerable to this flaw.

The workaround is to disable event sinks, which may not be an option for your third-party AV or SPAM filtering software.  Customers should apply the patches to resolve this flaw at the earliest opportunity.

http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
Joshua

34 Posts
Oct 11th 2005

Sign Up for Free or Log In to start participating in the conversation!