2003

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

microsoft

CWE-787

nessus

exploit available

NVD

Published: 2005-05-02

Updated: 2020-04-09

Summary

Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Exchange Server 2000 Microsoft Exchange Server 2003	2

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Exploit-Db

description	MS Exchange Server Remote Code Execution Exploit (MS05-021). CVE-2005-0560. Remote exploit for windows platform
id	EDB-ID:947
last seen	2016-01-31
modified	2005-04-19
published	2005-04-19
reporter	Evgeny Pinchuk
source	https://www.exploit-db.com/download/947/
title	Microsoft Exchange Server Remote Code Execution Exploit MS05-021

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS05-021.NASL
description	The remote host contains a flaw in its SMTP service that could allow remote code execution. Vulnerable services are Exchange 2003 (Windows 2000) and Exchange 2000. A public code is available to exploit this vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	18024
published	2005-04-12
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18024
title	MS05-021: Vulnerability in SMTP Could Allow Remote Code Execution (894549)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18024); script_version("1.40"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2005-0560"); script_bugtraq_id(13118); script_xref(name:"MSFT", value:"MS05-021"); script_xref(name:"CERT", value:"275193"); script_xref(name:"EDB-ID", value:"947"); script_xref(name:"MSKB", value:"894549"); script_name(english:"MS05-021: Vulnerability in SMTP Could Allow Remote Code Execution (894549)"); script_summary(english:"Checks for MS Hotfix 894549"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the SMTP server."); script_set_attribute(attribute:"description", value: "The remote host contains a flaw in its SMTP service that could allow remote code execution. Vulnerable services are Exchange 2003 (Windows 2000) and Exchange 2000. A public code is available to exploit this vulnerability."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-021"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Exchange 2000 and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-021'; kb = '894549'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); if ( hotfix_check_nt_server() <= 0 ) exit(0); version = get_kb_item ("SMB/Exchange/Version"); sp = get_kb_item ("SMB/Exchange/SP"); if ( ! version ) exit(0); if ( version == 65 ) { if (sp && (sp >= 2)) exit (0); if (is_accessible_share()) { if (sp) { if ( hotfix_check_fversion(file:"Xlsasink.dll", version:"6.5.7232.89", path:get_kb_item("SMB/Exchange/Path") + "\bin", bulletin:bulletin, kb:kb) == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/MS05-021", value:TRUE); hotfix_security_hole(); } } else { if ( hotfix_check_fversion(file:"Xlsasink.dll", version:"6.5.6981.3", path:get_kb_item("SMB/Exchange/Path") + "\bin", bulletin:bulletin, kb:kb) == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/MS05-021", value:TRUE); hotfix_security_hole(); } } hotfix_check_fversion_end(); } else { if ( hotfix_missing(name:"894549") > 0 ) { set_kb_item(name:"SMB/Missing/MS05-021", value:TRUE); hotfix_add_report(bulletin:bulletin, kb:kb); hotfix_security_hole(); } } exit (0); } if (version == 60) { if (sp && (sp >= 4)) exit (0); if (is_accessible_share()) { if ( hotfix_check_fversion(file:"Xlsasink.dll", version:"6.0.6617.52", path:get_kb_item("SMB/Exchange/Path") + "\bin", bulletin:bulletin, kb:kb) == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/MS05-021", value:TRUE); hotfix_security_hole(); } hotfix_check_fversion_end(); } else { if ( hotfix_missing(name:"894549") > 0 ) { set_kb_item(name:"SMB/Missing/MS05-021", value:TRUE); hotfix_add_report(bulletin:bulletin, kb:kb); hotfix_security_hole(); } } exit (0); }

Oval

accepted

2005-06-22T12:38:00.000-04:00

class

vulnerability

contributors

name	Christine Walzer
organization	The MITRE Corporation

description

family

windows

oval:org.mitre.oval:def:4032

status

accepted

submitted

2005-04-21T12:00:00.000-04:00

title

Exchange Server SMTP Buffer Overflow

version

Saint

bid	13118
description	Microsoft Exchange X-LINK2STATE buffer overflow
id	mail_smtp_exchangexl2s
osvdb	15467
title	exchange_x_link2state_bo
type	remote

Seebug

bulletinFamily	exploit
description	<p><strong>漏洞描述：</strong></p><p>Microsoft Exchange是一款由微软开发的邮件服务程序。Microsoft Exchange Server中存在缓冲区溢出漏洞，攻击者可能利用此漏洞在主机上执行任意指令。起因是Exchange SMTP Server在处理特殊的扩展SMTP verb时存在缓冲区溢出。漏洞可能允许攻击者连接到Exchange服务器的SMTP端口并发送精心构造的恶意命令，这些命令可能导致拒绝服务或以SMTP服务进程的权限运行攻击者所选择的代码。</p><p><strong>漏洞影响：</strong></p><p>受影响的软件：</p><p> •Microsoft Exchange Server 2000 Service Pack 3 </p><p>•Microsoft Exchange Server 2003 </p><p>•Microsoft Exchange Server 2003 Service Pack 1 </p><p>不受影响的软件：</p><p>•Microsoft Exchange Server 5.5 Service Pack 4</p><p>•Microsoft Exchange Server 5.0 Service Pack 2</p><p><strong>CVE-ID：CVE-2005-0560 </strong></p><p><strong>CNNVD-ID：CNNVD-200505-527</strong></p><p><strong>CNVD-ID：CNVD-2005-0869 </strong></p><p><strong>解决方案：</strong></p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告（MS05-021）以及相应补丁:</p><p>MS05-021：Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)链接：<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx">http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx</a></p><p>补丁下载：Microsoft Exchange 2000 Server Service Pack 3 - <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66">http://www.microsoft.com/downloads/details.aspx?FamilyId=2A2AF17E-2E4A-4479-8AC9-B5544EA0BD66</a> </p><p>Microsoft Exchange Server 2003 ？C </p><p> <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267">http://www.microsoft.com/downloads/details.aspx?FamilyId=97F409EB-C8D0-4C94-A67B-5945E26C9267</a> </p><p>Microsoft Exchange Server 2003 Service Pack ？C <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC">http://www.microsoft.com/downloads/details.aspx?FamilyId=35BCE74A-E84A-4035-BF18-196368F032CC</a></p>
id	SSV:13682
last seen	2017-11-19
modified	2005-04-19
published	2005-04-19
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-13682
title	MS Exchange Server Remote Code Execution Exploit (MS05-021)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Nessus

Oval

Saint

Seebug

References