Vulnerabilities > CVE-2010-0025 - Information Exposure vulnerability in Microsoft products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
microsoft
CWE-200
nessus

Summary

The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability."

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Msbulletin

bulletin_idMS10-024
bulletin_url
date2010-04-13T00:00:00
impactDenial of Service
knowledgebase_id981832
knowledgebase_url
severityImportant
titleVulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS10-024.NASL
    descriptionThe installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) - Predictable transaction IDs are used, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1689) - There is no verification that the transaction ID of a response matches the transaction ID of a query, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1690)
    last seen2020-06-01
    modified2020-06-02
    plugin id45511
    published2010-04-13
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45511
    titleMS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(45511);
      script_version("1.27");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id(
        "CVE-2010-0024",
        "CVE-2010-0025",
        "CVE-2010-1689",
        "CVE-2010-1690"
      );
      script_bugtraq_id(39308, 39381, 39908, 39910);
      script_xref(name:"MSFT", value:"MS10-024");
      script_xref(name:"IAVB", value:"2010-B-0029");
      script_xref(name:"MSKB", value:"976323");
      script_xref(name:"MSKB", value:"976702");
      script_xref(name:"MSKB", value:"976703");
      script_xref(name:"MSKB", value:"981383");
      script_xref(name:"MSKB", value:"981401");
      script_xref(name:"MSKB", value:"981407");
    
      script_name(english:"MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)");
      script_summary(english:"Checks versions of Smtpsvc.dll or Exchange-specific files");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote mail server may be affected by multiple vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The installed version of Microsoft Exchange / Windows SMTP Service
    is affected by at least one vulnerability :
    
      - Incorrect parsing of DNS Mail Exchanger (MX) resource
        records could cause the Windows Simple Mail Transfer
        Protocol (SMTP) component to stop responding until
        the service is restarted. (CVE-2010-0024)
    
      - Improper allocation of memory for interpreting SMTP
        command responses may allow an attacker to read random
        email message fragments stored on the affected server.
        (CVE-2010-0025)
    
      - Predictable transaction IDs are used, which could allow
        a man-in-the-middle attacker to spoof DNS responses.
        (CVE-2010-1689)
    
      - There is no verification that the transaction ID of a
        response matches the transaction ID of a query, which
        could allow a man-in-the-middle attacker to spoof DNS
        responses. (CVE-2010-1690)"
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-024");
      script_set_attribute(
        attribute:"solution",
        value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
    
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS10-024';
    kbs = make_list("976323", "976702", "976703", "981383", "981401", "981407");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Windows Server 2008 R2
      hotfix_is_vulnerable(os:"6.1",       arch:"x64", file:"Smtpsvc.dll", version:"7.5.7600.20660", min_version:"7.5.7600.20000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
      hotfix_is_vulnerable(os:"6.1",       arch:"x64", file:"Smtpsvc.dll", version:"7.5.7600.16544", min_version:"7.5.7600.16000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
    
      # Windows 2008
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Smtpsvc.dll", version:"7.0.6002.22354", min_version:"7.0.6002.22000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Smtpsvc.dll", version:"7.0.6002.18222", min_version:"7.0.6002.18000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Smtpsvc.dll", version:"7.0.6001.22648", min_version:"7.0.6001.22000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Smtpsvc.dll", version:"7.0.6001.18440", min_version:"7.0.6001.18000", dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
    
      # Windows 2003 / XP x64
      hotfix_is_vulnerable(os:"5.2", sp:2,             file:"Smtpsvc.dll", version:"6.0.3790.4675",                                dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
    
      # Windows XP x86
      hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Smtpsvc.dll", version:"6.0.2600.5949",                                dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Smtpsvc.dll", version:"6.0.2600.3680",                                dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323") ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0",                   file:"Smtpsvc.dll", version:"5.0.2195.7381",                                dir:"\system32\inetsrv", bulletin:bulletin, kb:"976323")
      )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_warning();
    
      hotfix_check_fversion_end();
      exit(0);
    }
    
    # Check Exchange Server.
    version = get_kb_item("SMB/Exchange/Version");
    if (version)
    {
      # 2000
      if (version == 60)
      {
        sp = get_kb_item("SMB/Exchange/SP");
        if (sp && sp > 3)
        {
          hotfix_check_fversion_end();
          exit(0, "Exchange Server 2000 Service Pack "+sp+" is installed and thus not affected.");
        }
    
        rootfile = get_kb_item("SMB/Exchange/Path");
        if (!rootfile)
        {
          hotfix_check_fversion_end();
          audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path');
        }
        rootfile = rootfile + "\bin";
    
        if (
          hotfix_check_fversion(path:rootfile, file:"Mdbmsg.dll", version:"6.0.6620.15", bulletin:bulletin, kb:"976703") == HCF_OLDER ||
          hotfix_check_fversion(path:rootfile, file:"Store.exe",  version:"6.0.6620.15", bulletin:bulletin, kb:"976703") == HCF_OLDER
        )
        {
          set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
          hotfix_security_warning();
    
          hotfix_check_fversion_end();
          exit(0);
        }
      }
      # 2003
      else if (version == 65)
      {
        sp = get_kb_item ("SMB/Exchange/SP");
        if (sp && sp > 2)
        {
          hotfix_check_fversion_end();
          exit(0, "Exchange Server 2003 Service Pack "+sp+" is installed and thus not affected.");
        }
    
        rootfile = get_kb_item("SMB/Exchange/Path");
        if (!rootfile)
        {
          hotfix_check_fversion_end();
          audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path');
        }
        rootfile = rootfile + "\bin";
    
        if (
          hotfix_check_fversion(path:rootfile, file:"Msgfilter.dll", version:"6.5.7656.2", bulletin:bulletin, kb:"976702") == HCF_OLDER ||
          hotfix_check_fversion(path:rootfile, file:"Turflist.dll",  version:"6.5.7656.2", bulletin:bulletin, kb:"976702") == HCF_OLDER
        )
        {
          set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
          hotfix_security_warning();
    
          hotfix_check_fversion_end();
          exit(0);
        }
      }
      # 2007
      else if (version == 80)
      {
        sp = get_kb_item ("SMB/Exchange/SP");
        if (sp && sp > 2)
        {
          hotfix_check_fversion_end();
          exit(0, "Exchange Server 2007 Service Pack "+sp+" is installed and thus not affected.");
        }
    
        rootfile = get_kb_item("SMB/Exchange/Path");
        if (!rootfile)
        {
          hotfix_check_fversion_end();
          audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path');
        }
        rootfile = rootfile + "\bin";
    
        dll = "Microsoft.Exchange.Setup.Common.dll";
        if (
          hotfix_check_fversion(path:rootfile, file:dll, version:"8.2.254.0", min_version:"8.2.0.0", bulletin:bulletin, kb:"981383") == HCF_OLDER ||
          hotfix_check_fversion(path:rootfile, file:dll, version:"8.1.436.0", min_version:"8.1.0.0", bulletin:bulletin, kb:"981407") == HCF_OLDER
        )
        {
          set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
          hotfix_security_warning();
    
          hotfix_check_fversion_end();
          exit(0);
        }
      }
      # 2010
      else if (version == 140)
      {
        sp = get_kb_item ("SMB/Exchange/SP");
        if (sp && sp > 0)
        {
          hotfix_check_fversion_end();
          exit(0, "Exchange Server 2010 Service Pack "+sp+" is installed and thus not affected.");
        }
    
        rootfile = get_kb_item("SMB/Exchange/Path");
        if (!rootfile)
        {
          hotfix_check_fversion_end();
          audit(AUDIT_KB_MISSING, 'SMB/Exchange/Path');
        }
        rootfile = rootfile + "\bin";
    
        if (
          hotfix_check_fversion(path:rootfile, file:"Microsoft.Exchange.Diagnostics.dll",  version:"14.0.694.0", bulletin:bulletin, kb:"981401") == HCF_OLDER ||
          hotfix_check_fversion(path:rootfile, file:"Microsoft.Exchange.Setup.Common.dll", version:"14.0.694.0", bulletin:bulletin, kb:"981401") == HCF_OLDER
        )
        {
          set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
          hotfix_security_warning();
    
          hotfix_check_fversion_end();
          exit(0);
        }
      }
    }
    
    hotfix_check_fversion_end();
    audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyWindows
    NASL idEXCHANGE_MS10-024.NASL
    descriptionThe installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025) - Predictable transaction IDs are used, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1689) - There is no verification that the transaction ID of a response matches the transaction ID of a query, which could allow a man-in-the-middle attacker to spoof DNS responses. (CVE-2010-1690)
    last seen2020-06-01
    modified2020-06-02
    plugin id108800
    published2018-04-03
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108800
    titleMS10-024: Microsoft Exchange Denial of Service (uncredentialed)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108800);
      script_version("1.5");
      script_cvs_date("Date: 2018/11/15 20:50:26");
    
      script_cve_id(
        "CVE-2010-0024",
        "CVE-2010-0025",
        "CVE-2010-1689",
        "CVE-2010-1690");
    
      script_bugtraq_id(
        39308,
        39381,
        39908,
        39910
      );
      script_xref(name:"MSFT", value:"MS10-024");
      script_xref(name:"IAVB", value:"2010-B-0029");
      script_xref(name:"MSKB", value:"976323");
      script_xref(name:"MSKB", value:"976702");
      script_xref(name:"MSKB", value:"976703");
      script_xref(name:"MSKB", value:"981383");
      script_xref(name:"MSKB", value:"981401");
      script_xref(name:"MSKB", value:"981407");
    
      script_name(english:"MS10-024: Microsoft Exchange Denial of Service (uncredentialed)");
      script_summary(english:"Checks the version of Exchange");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote mail server may be affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The installed version of Microsoft Exchange / Windows SMTP Service
    is affected by at least one vulnerability :
    
      - Incorrect parsing of DNS Mail Exchanger (MX) resource
        records could cause the Windows Simple Mail Transfer
        Protocol (SMTP) component to stop responding until
        the service is restarted. (CVE-2010-0024)
    
      - Improper allocation of memory for interpreting SMTP
        command responses may allow an attacker to read random
        email message fragments stored on the affected server.
        (CVE-2010-0025)
    
      - Predictable transaction IDs are used, which could allow
        a man-in-the-middle attacker to spoof DNS responses.
        (CVE-2010-1689)
    
      - There is no verification that the transaction ID of a
        response matches the transaction ID of a query, which
        could allow a man-in-the-middle attacker to spoof DNS
        responses. (CVE-2010-1690)"
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-024");
      script_set_attribute(attribute:"solution",value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/03");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
    
      script_dependencies("exchange_detect.nbin");
      script_require_keys("installed_sw/Exchange Server");
      script_require_ports("Services/smtp", 25, "Services/pop3", 143, "Services/www", 80);
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("vcf.inc");
    
    appname = 'Exchange Server';
    get_install_count(app_name:appname, exit_if_zero:TRUE);
    
    smtp_ports = get_kb_list("Services/smtp");
    pop3_ports = get_kb_list("Services/pop3");
    http_ports = get_kb_list("Services/www");
    
    ports = make_list(smtp_ports, pop3_ports, http_ports);
    port = branch(ports);
    app_info = vcf::get_app_info(app:appname, port:port, service:TRUE);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      {"min_version" : "6.0.0", "fixed_version":"6.0.6620.15"},
      {"min_version" : "6.5.0", "fixed_version":"6.5.7656.2"},
      {"min_version" : "8.0.0", "fixed_version":"8.1.436.0"},
      {"min_version" : "8.2.0", "fixed_version":"8.2.254.0"},
      {"min_version" : "14.0.0","fixed_version":"14.0.694.0"}
    ];
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familySMTP problems
    NASL idSMTP_KB981832.NASL
    descriptionThe installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server. (CVE-2010-0025)
    last seen2020-06-01
    modified2020-06-02
    plugin id45517
    published2010-04-13
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45517
    titleChecks the remote SMTP server is patched for KB981832
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # nb: script_name() is too long for Nessus 2.x.
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(45517);
      script_version("1.17");
      script_cvs_date("Date: 2018/11/15 20:50:24");
    
      script_cve_id("CVE-2010-0024", "CVE-2010-0025");
      script_bugtraq_id(39381);
      script_xref(name:"MSFT", value:"MS10-024");
      script_xref(name:"IAVB", value:"2010-B-0029");
      script_xref(name:"MSKB", value:"981832");
    
      script_name(english:"MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)");
      script_summary(english:"Checks the remote SMTP server is patched for KB981832");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote mail server may be affected by multiple vulnerabilities."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The installed version of Microsoft Exchange / Windows SMTP Service
    is affected by at least one vulnerability :
    
      - Incorrect parsing of DNS Mail Exchanger (MX) resource
        records could cause the Windows Simple Mail Transfer
        Protocol (SMTP) component to stop responding until 
        the service is restarted. (CVE-2010-0024)
    
      - Improper allocation of memory for interpreting SMTP
        command responses may allow an attacker to read random 
        email message fragments stored on the affected server.
        (CVE-2010-0025)"
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-024");
      script_set_attribute(
        attribute:"solution", 
        value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/04/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"SMTP problems");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
    
      script_dependencie("smtpserver_detect.nasl", "doublecheck_std_services.nasl");
      script_require_ports("Services/smtp", 25);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("smtp_func.inc");
    
    last_vers = NULL;
    
    function _vers_cmp(a,b)
    {
     local_var i, c;
    
     a = split(a, sep:'.', keep:FALSE);
     c = b;
     b = split(b, sep:'.', keep:FALSE);
     last_vers = NULL;
    
     if ( max_index(a) != 4 || max_index(b) != 4 ) return 0; # ???
    
     for ( i = 0 ; i < 4; i ++ )
     {
       if ( int(a[i]) != int(b[i]) ) 
       {
    	 if ( i < 3 ) return 0; # Only compare the maj version
      	 last_vers = c;
    	 return int(a[i]) - int(b[i]);
       }
     } 
     return 0;
    }
    
    
    function vers_cmp(ref, version, min)
    {
     if ( _vers_cmp(a:version, b:min) < 0 ) return 0;
     return _vers_cmp(a:version, b:ref);
    }
    
    port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
    if (!get_port_state(port)) exit(0, "Port "+port+" is not open.");
    
    banner = get_smtp_banner(port:port);
    if ( ! banner ) exit(1, "Nessus failed to extract the greeting from the SMTP server on port "+port+".");
    line = egrep(pattern:"^220 .* Microsoft ESMTP MAIL Service, Version: ([0-9.]+) ready at.*", string:banner);
    if ( ! line ) exit(0, "The greeting from the SMTP server on port "+port+" does not look like Microsoft's SMTP service.");
    
    version = chomp(ereg_replace(pattern:"^220 .* Microsoft ESMTP MAIL Service, Version: ([0-9.]+) ready at.*", string:line, replace:"\1"));
    
    if ( 
         # Windows 2000
         vers_cmp(version:version, ref:"5.0.2195.7381", min:"5.0.2195.0") < 0 ||
         # Windows 2003, XP x64
         vers_cmp(version:version, ref:"6.0.3790.4675", min:"6.0.3790.0") < 0 ||
         # Windows XP SP2
         vers_cmp(version:version, ref:"6.0.2600.3680", min:"6.0.2600.0") < 0 ||
         # Windows XP SP3
         vers_cmp(version:version, ref:"6.0.2600.5949", min:"6.0.2600.5000") < 0 ||
         #Windows 2008
         vers_cmp(version:version, ref:"7.0.6001.18440", min:"7.0.6001.0") < 0 ||
         vers_cmp(version:version, ref:"7.0.6001.22648", min:"7.0.6001.22000") < 0 ||
         vers_cmp(version:version, ref:"7.0.6002.18222", min:"7.0.6002.0") < 0 ||
         vers_cmp(version:version, ref:"7.0.6002.22354", min:"7.0.6002.22000") < 0 ||
         #Windows 2008 R2
         vers_cmp(version:version, ref:"7.5.7600.16544", min:"7.5.7600.0") < 0 ||
         vers_cmp(version:version, ref:"7.5.7600.20660", min:"7.5.7600.20000") < 0)
    {
      security_warning(port:port, extra:'\nThe remote version of the smtpsvc.dll is ' + version + ' versus ' + last_vers + '.');
      exit(0);
    }
    else exit(0, "The SMTP server on port "+port+" uses smtpsvc.dll "+version+" and hence is not affected.");
    

Oval

accepted2014-08-18T04:00:18.622-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows 2000 is installed
    ovaloval:org.mitre.oval:def:85
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Exchange Server 2000 Service Pack 3 is installed
    ovaloval:org.mitre.oval:def:1858
descriptionThe SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability."
familywindows
idoval:org.mitre.oval:def:12175
statusaccepted
submitted2010-11-04T13:00:00
titleSMTP Memory Allocation Vulnerability
version49