MS05-048 CDO Object Remote Code Execution

Published: 2005-10-11
Last Updated: 2005-10-11 18:46:55 UTC
by Joshua Wright (Version: 1)
0 comment(s)

KB: Win2K SP4 - KB901017, WinXP SP1/SP2 - KB901017, Win2K3 - KB901017
CVE: CAN-2005-1987

Colloborative Data Objects (CDO) allow Windows systems to send email through SMTP or a Microsoft Exchange server.  An unchecked buffer in the CDO functions for Windows 2000 and later systems (CDOSYS) and in Microsoft Exchange servers (CDOEX) allows an attacker to compromise the target host.  In order to trigger this vulnerability, an attacker has to deliver a specially-crafted mail message via SMTP which is processed by the event sink handling subsystem, designed for granular processing of CDO messages.

The mitigating circumstance for this vulnerability is that IIS 5.0 and Exchange 2000 SMTP service do not use event sinks by default, which mitigates the vulnerability.  IIS 6.0 SMTP service does use event sinks and is therefore vulnerable, but IIS 6 does not install the SMTP service by default.  There is some confusion in the Microsoft bulletin about Exchange 2003 as it is listed as both "not vulnerable" and in the "affected software" sections of the bulletin.

The challenge with determining if your IIS SMTP service or Exchange 2000 system is vulnerabile depends on whether or not you are using event sinks on your system.  Third-party software vendors such as SPAM gateways or anti-virus systems may install event sinks to process email messages, making these products vulnerable to this flaw.

The workaround is to disable event sinks, which may not be an option for your third-party AV or SPAM filtering software.  Customers should apply the patches to resolve this flaw at the earliest opportunity.
0 comment(s)


Diary Archives