What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.
What causes the vulnerability?
An unchecked buffer in the SMTP service.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
On Exchange 2000, any anonymous user who could connect to an SMTP port on the Exchange Server and issue a specially crafted extended verb request.
On Exchange 2003, the level of authentication required to exploit this vulnerability is typically only granted to other Exchange Servers within the same organization. In this case, the attacker would have to connect to an SMTP port on the Exchange Server with the authority of another Exchange Server within the same organization and issue and issue a specially crafted extended verb request.
How could an attacker exploit the vulnerability?
An unauthenticated attacker could seek to exploit this vulnerability by connecting to an SMTP port on the Exchange 2000 server and by issuing a specially-crafted extended verb request. This could allow an attacker to take any action on the system in the security context of the SMTP service. By default, the SMTP service runs as Local System.
For Exchange 2003, an attacker who could authenticate as an account in Exchange Enterprise Servers or Exchange Domain Servers groups could exploit this vulnerability.
Because Exchange 2000 Server uses the Windows 2000 SMTP service, does the vulnerability affect the SMTP service in Windows 2000?
No. The vulnerability does not affect the Microsoft SMTP service on systems that are running Windows 2000 that do not have Exchange 2000 Server installed.
The vulnerability also does not affect the Microsoft SMTP services that can be installed on Windows NT Server 4.0 or on Windows XP.
Can this be exploited directly by using e-mail?
No. This vulnerability could not be exploited by sending a specially-crafted e-mail message to a mailbox that is hosted on an Exchange server. An attacker would have to connect directly to the SMTP port on an Exchange server.
What does the update do?
The update removes the vulnerability by modifying the way that the SMTP Service validates the length of a message before it passes the message to the allocated buffer.
Additionally, the update for Exchange 2000 adds authentication requirements similar to those already present in Exchange 2003.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.