Vulnerabilities > CVE-2002-0055 - Incorrect Resource Transfer Between Spheres vulnerability in Microsoft Exchange Server, Windows 2000 and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 4 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SMTP problems NASL id MSSMTP_DOS.NASL description It is possible to make the remote SMTP server fail and restart by sending specially crafted last seen 2020-06-01 modified 2020-06-02 plugin id 10885 published 2002-03-08 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10885 title Microsoft Windows SMTP Service Malformed BDAT Request Remote DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10885); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2002-0055"); script_bugtraq_id(4204); script_xref(name:"MSFT", value:"MS02-012"); script_xref(name:"MSKB", value:"313450"); script_name(english:"Microsoft Windows SMTP Service Malformed BDAT Request Remote DoS"); script_summary(english:"Checks if the remote SMTP server can be restarted"); script_set_attribute(attribute:"synopsis", value: "The remote SMTP server is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "It is possible to make the remote SMTP server fail and restart by sending specially crafted 'BDAT' requests. The service will restart automatically, but all the connections established at the time of the attack will be dropped. An attacker may use this flaw to make mail delivery to your site less efficient."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-012"); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=101558498401274&w=2"); # http://web.archive.org/web/20020417221630/http://www.digitaloffense.net/mssmtp/mssmtp_dos.pl script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee067e2c"); script_set_attribute(attribute:"solution", value: "Apply the patch referenced above."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/03/08"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/03/06"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); script_family(english:"SMTP problems"); script_dependencie("smtpserver_detect.nasl"); script_require_ports("Services/smtp", 25); exit(0); } # # The script code starts here # include("misc_func.inc"); include("smtp_func.inc"); port = get_service(svc:"smtp", default: 25, exit_on_fail: 1); if (get_kb_item('SMTP/'+port+'/broken')) exit(0); soc = open_sock_tcp(port); if(!soc)exit(0); data = smtp_recv_banner(socket:soc); crp = 'HELO example.com\r\n'; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!(ereg(pattern:"^250 .* Hello .*", string:data)))exit(0); crp = 'MAIL FROM: [email protected]\r\n'; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); crp = 'RCPT TO: Administrator\r\n'; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); crp = 'BDAT 4\r\n'; send(socket:soc, data:crp); crp = 'b00mAUTH LOGIN\r\n'; send(socket:soc, data:crp); r = recv_line(socket:soc, length:255); if(ereg(pattern:"^250 .*", string:r)) { r = recv_line(socket:soc, length:5); # Patched server say : "503 5.5.2 BDAT Expected" # Vulnerable servers say : "334 VXNlcm5hbWU6" if(ereg(pattern:"^334 .*",string:r)) security_warning(port); } smtp_close(socket: soc);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS02-012.NASL description The remote host contains a flaw in its SMTP service that could allow an attacker to crash it. Vulnerable services are SMTP service (Windows XP/Windows 2000) and Exchange 2000 (Windows 2000). last seen 2020-06-01 modified 2020-06-02 plugin id 20885 published 2007-03-28 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20885 title MS02-012: Malformed Data Transfer Request can Cause Windows SMTP Service to Fail (313450) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20885); script_version("1.29"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2002-0055"); script_bugtraq_id(4204); script_xref(name:"MSFT", value:"MS02-012"); script_xref(name:"MSKB", value:"313450"); script_name(english:"MS02-012: Malformed Data Transfer Request can Cause Windows SMTP Service to Fail (313450)"); script_summary(english:"Checks for MS Hotfix Q313450"); script_set_attribute(attribute:"synopsis", value:"It is possible to crash the mail service."); script_set_attribute(attribute:"description", value: "The remote host contains a flaw in its SMTP service that could allow an attacker to crash it. Vulnerable services are SMTP service (Windows XP/Windows 2000) and Exchange 2000 (Windows 2000)."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-012"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/27"); script_set_attribute(attribute:"patch_publication_date", value:"2002/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS02-012'; kb = '313450'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'2', xp:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.1", sp:0, file:"Smtpsvc.dll", version:"6.0.2600.28", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Smtpsvc.dll", version:"5.0.2195.4905", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
| accepted | 2011-05-16T04:02:41.296-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| description | SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request. | ||||||||||||||||||||
| family | windows | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:30 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2003-05-20T12:00:00.000-04:00 | ||||||||||||||||||||
| title | Microsoft SMTP Malformed BDAT Request Denial of Service | ||||||||||||||||||||
| version | 32 |
References
- http://marc.info/?l=bugtraq&m=101558498401274&w=2
- http://www.iss.net/security_center/static/8307.php
- http://www.securityfocus.com/bid/4204
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-012
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A30