Vulnerabilities > CVE-2010-0025 - Information Exposure vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 11 | |
| Application | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Msbulletin
| bulletin_id | MS10-024 |
| bulletin_url | |
| date | 2010-04-13T00:00:00 |
| impact | Denial of Service |
| knowledgebase_id | 981832 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-024.NASL description The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) - Predictable transaction IDs are used, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1689) - There is no verification that the transaction ID of a response matches the transaction ID of a query, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1690) last seen 2020-06-01 modified 2020-06-02 plugin id 45511 published 2010-04-13 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45511 title MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(45511); script_version("1.27"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2010-0024", "CVE-2010-0025", "CVE-2010-1689", "CVE-2010-1690" ); script_bugtraq_id(39308, 39381, 39908, 39910); script_xref(name:"MSFT", value:"MS10-024"); script_xref(name:"IAVB", value:"2010-B-0029"); script_xref(name:"MSKB", value:"976323"); script_xref(name:"MSKB", value:"976702"); script_xref(name:"MSKB", value:"976703"); script_xref(name:"MSKB", value:"981383"); script_xref(name:"MSKB", value:"981401"); script_xref(name:"MSKB", value:"981407"); script_name(english:"MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)"); script_summary(english:"Checks versions of Smtpsvc.dll or Exchange-specific files"); script_set_attribute( attribute:"synopsis", value: "The remote mail server may be affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) - Predictable transaction IDs are used, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1689) - There is no verification that the transaction ID of a response matches the transaction ID of a query, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1690)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-024"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-024'; kbs = make_list("976323", "976702", "976703", "981383", "981401", "981407"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows Server 2008 R2 hotfix_is_vulnerable(os:"6.1", arch:"x64", file:"Smtpsvc.dll", version:"7.5.7600.20660", min_version:"7.5.7600.20000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || hotfix_is_vulnerable(os:"6.1", arch:"x64", file:"Smtpsvc.dll", version:"7.5.7600.16544", min_version:"7.5.7600.16000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || # Windows 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Smtpsvc.dll", version:"7.0.6002.22354", min_version:"7.0.6002.22000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Smtpsvc.dll", version:"7.0.6002.18222", min_version:"7.0.6002.18000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Smtpsvc.dll", version:"7.0.6001.22648", min_version:"7.0.6001.22000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || hotfix_is_vulnerable(os:"6.0", sp:1, file:"Smtpsvc.dll", version:"7.0.6001.18440", min_version:"7.0.6001.18000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || # Windows 2003 / XP x64 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Smtpsvc.dll", version:"6.0.3790.4675", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || # Windows XP x86 hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Smtpsvc.dll", version:"6.0.2600.5949", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Smtpsvc.dll", version:"6.0.2600.3680", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") || # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Smtpsvc.dll", version:"5.0.2195.7381", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } # Check Exchange Server. version = get_kb_item("SMB/Exchange/Version"); if (version) { # 2000 if (version == 60) { sp = get_kb_item("SMB/Exchange/SP"); if (sp && sp > 3) { hotfix_check_fversion_end(); exit(0, "Exchange Server 2000 Service Pack "+sp+" is installed and thus not affected."); } rootfile = get_kb_item("SMB/Exchange/Path"); if (!rootfile) { hotfix_check_fversion_end(); audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path'); } rootfile = rootfile + "\bin"; if ( hotfix_check_fversion(path:rootfile, file:"Mdbmsg.dll", version:"6.0.6620.15", bulletin:bulletin, kb:"976703") == HCF_OLDER || hotfix_check_fversion(path:rootfile, file:"Store.exe", version:"6.0.6620.15", bulletin:bulletin, kb:"976703") == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } } # 2003 else if (version == 65) { sp = get_kb_item ("SMB/Exchange/SP"); if (sp && sp > 2) { hotfix_check_fversion_end(); exit(0, "Exchange Server 2003 Service Pack "+sp+" is installed and thus not affected."); } rootfile = get_kb_item("SMB/Exchange/Path"); if (!rootfile) { hotfix_check_fversion_end(); audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path'); } rootfile = rootfile + "\bin"; if ( hotfix_check_fversion(path:rootfile, file:"Msgfilter.dll", version:"6.5.7656.2", bulletin:bulletin, kb:"976702") == HCF_OLDER || hotfix_check_fversion(path:rootfile, file:"Turflist.dll", version:"6.5.7656.2", bulletin:bulletin, kb:"976702") == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } } # 2007 else if (version == 80) { sp = get_kb_item ("SMB/Exchange/SP"); if (sp && sp > 2) { hotfix_check_fversion_end(); exit(0, "Exchange Server 2007 Service Pack "+sp+" is installed and thus not affected."); } rootfile = get_kb_item("SMB/Exchange/Path"); if (!rootfile) { hotfix_check_fversion_end(); audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path'); } rootfile = rootfile + "\bin"; dll = "Microsoft.Exchange.Setup.Common.dll"; if ( hotfix_check_fversion(path:rootfile, file:dll, version:"8.2.254.0", min_version:"8.2.0.0", bulletin:bulletin, kb:"981383") == HCF_OLDER || hotfix_check_fversion(path:rootfile, file:dll, version:"8.1.436.0", min_version:"8.1.0.0", bulletin:bulletin, kb:"981407") == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } } # 2010 else if (version == 140) { sp = get_kb_item ("SMB/Exchange/SP"); if (sp && sp > 0) { hotfix_check_fversion_end(); exit(0, "Exchange Server 2010 Service Pack "+sp+" is installed and thus not affected."); } rootfile = get_kb_item("SMB/Exchange/Path"); if (!rootfile) { hotfix_check_fversion_end(); audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path'); } rootfile = rootfile + "\bin"; if ( hotfix_check_fversion(path:rootfile, file:"Microsoft.Exchange.Diagnostics.dll", version:"14.0.694.0", bulletin:bulletin, kb:"981401") == HCF_OLDER || hotfix_check_fversion(path:rootfile, file:"Microsoft.Exchange.Setup.Common.dll", version:"14.0.694.0", bulletin:bulletin, kb:"981401") == HCF_OLDER ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } } } hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected');NASL family Windows NASL id EXCHANGE_MS10-024.NASL description The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) - Predictable transaction IDs are used, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1689) - There is no verification that the transaction ID of a response matches the transaction ID of a query, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1690) last seen 2020-06-01 modified 2020-06-02 plugin id 108800 published 2018-04-03 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/108800 title MS10-024: Microsoft Exchange Denial of Service (uncredentialed) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108800); script_version("1.5"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id( "CVE-2010-0024", "CVE-2010-0025", "CVE-2010-1689", "CVE-2010-1690"); script_bugtraq_id( 39308, 39381, 39908, 39910 ); script_xref(name:"MSFT", value:"MS10-024"); script_xref(name:"IAVB", value:"2010-B-0029"); script_xref(name:"MSKB", value:"976323"); script_xref(name:"MSKB", value:"976702"); script_xref(name:"MSKB", value:"976703"); script_xref(name:"MSKB", value:"981383"); script_xref(name:"MSKB", value:"981401"); script_xref(name:"MSKB", value:"981407"); script_name(english:"MS10-024: Microsoft Exchange Denial of Service (uncredentialed)"); script_summary(english:"Checks the version of Exchange"); script_set_attribute(attribute:"synopsis", value: "The remote mail server may be affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) - Predictable transaction IDs are used, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1689) - There is no verification that the transaction ID of a response matches the transaction ID of a query, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1690)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-024"); script_set_attribute(attribute:"solution",value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc."); script_dependencies("exchange_detect.nbin"); script_require_keys("installed_sw/Exchange Server"); script_require_ports("Services/smtp", 25, "Services/pop3", 143, "Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("vcf.inc"); appname = 'Exchange Server'; get_install_count(app_name:appname, exit_if_zero:TRUE); smtp_ports = get_kb_list("Services/smtp"); pop3_ports = get_kb_list("Services/pop3"); http_ports = get_kb_list("Services/www"); ports = make_list(smtp_ports, pop3_ports, http_ports); port = branch(ports); app_info = vcf::get_app_info(app:appname, port:port, service:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ {"min_version" : "6.0.0", "fixed_version":"6.0.6620.15"}, {"min_version" : "6.5.0", "fixed_version":"6.5.7656.2"}, {"min_version" : "8.0.0", "fixed_version":"8.1.436.0"}, {"min_version" : "8.2.0", "fixed_version":"8.2.254.0"}, {"min_version" : "14.0.0","fixed_version":"14.0.694.0"} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family SMTP problems NASL id SMTP_KB981832.NASL description The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) last seen 2020-06-01 modified 2020-06-02 plugin id 45517 published 2010-04-13 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45517 title Checks the remote SMTP server is patched for KB981832 code # # (C) Tenable Network Security, Inc. # # nb: script_name() is too long for Nessus 2.x. if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(45517); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2010-0024", "CVE-2010-0025"); script_bugtraq_id(39381); script_xref(name:"MSFT", value:"MS10-024"); script_xref(name:"IAVB", value:"2010-B-0029"); script_xref(name:"MSKB", value:"981832"); script_name(english:"MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)"); script_summary(english:"Checks the remote SMTP server is patched for KB981832"); script_set_attribute( attribute:"synopsis", value: "The remote mail server may be affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-024"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencie("smtpserver_detect.nasl", "doublecheck_std_services.nasl"); script_require_ports("Services/smtp", 25); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); last_vers = NULL; function _vers_cmp(a,b) { local_var i, c; a = split(a, sep:'.', keep:FALSE); c = b; b = split(b, sep:'.', keep:FALSE); last_vers = NULL; if ( max_index(a) != 4 || max_index(b) != 4 ) return 0; # ??? for ( i = 0 ; i < 4; i ++ ) { if ( int(a[i]) != int(b[i]) ) { if ( i < 3 ) return 0; # Only compare the maj version last_vers = c; return int(a[i]) - int(b[i]); } } return 0; } function vers_cmp(ref, version, min) { if ( _vers_cmp(a:version, b:min) < 0 ) return 0; return _vers_cmp(a:version, b:ref); } port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); banner = get_smtp_banner(port:port); if ( ! banner ) exit(1, "Nessus failed to extract the greeting from the SMTP server on port "+port+"."); line = egrep(pattern:"^220 .* Microsoft ESMTP MAIL Service, Version: ([0-9.]+) ready at.*", string:banner); if ( ! line ) exit(0, "The greeting from the SMTP server on port "+port+" does not look like Microsoft's SMTP service."); version = chomp(ereg_replace(pattern:"^220 .* Microsoft ESMTP MAIL Service, Version: ([0-9.]+) ready at.*", string:line, replace:"\1")); if ( # Windows 2000 vers_cmp(version:version, ref:"5.0.2195.7381", min:"5.0.2195.0") < 0 || # Windows 2003, XP x64 vers_cmp(version:version, ref:"6.0.3790.4675", min:"6.0.3790.0") < 0 || # Windows XP SP2 vers_cmp(version:version, ref:"6.0.2600.3680", min:"6.0.2600.0") < 0 || # Windows XP SP3 vers_cmp(version:version, ref:"6.0.2600.5949", min:"6.0.2600.5000") < 0 || #Windows 2008 vers_cmp(version:version, ref:"7.0.6001.18440", min:"7.0.6001.0") < 0 || vers_cmp(version:version, ref:"7.0.6001.22648", min:"7.0.6001.22000") < 0 || vers_cmp(version:version, ref:"7.0.6002.18222", min:"7.0.6002.0") < 0 || vers_cmp(version:version, ref:"7.0.6002.22354", min:"7.0.6002.22000") < 0 || #Windows 2008 R2 vers_cmp(version:version, ref:"7.5.7600.16544", min:"7.5.7600.0") < 0 || vers_cmp(version:version, ref:"7.5.7600.20660", min:"7.5.7600.20000") < 0) { security_warning(port:port, extra:'\nThe remote version of the smtpsvc.dll is ' + version + ' versus ' + last_vers + '.'); exit(0); } else exit(0, "The SMTP server on port "+port+" uses smtpsvc.dll "+version+" and hence is not affected.");
Oval
| accepted | 2014-08-18T04:00:18.622-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:12175 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2010-11-04T13:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | SMTP Memory Allocation Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 49 |