Determina Security Research

Exchange Calendar MODPROPS Denial of Service
http://www.determina.com/security.research/vulnerabilities/exchange-ical-modprops.html

CVE ID: CVE-2007-0039
 MS ID: MS07-026

Vendor notification: Dec 20, 2006
Vendor patch: May 8, 2007


Systems Affected:

 * Exchange 2000
 * Exchange 2003


Overview:

Determina Security Research has discovered a denial of service vulnerability in
the code responsible for parsing iCal email attachments in Microsoft Exchange.
This vulnerability can be exploited by a malicious email message and results in
a denial of service. The vulnerable code is present in Exchange 2000 and 2003.

Microsoft fixed a related vulnerability with the MS06-019 security update, but
their fix introduced a new denial of service bug. Determina Security Research
was able to develop a proof-of-concept exploit that works against fully-patched
Exchange servers.


Technical Details:

The iCal file format is described in detail in RFC2445. The file consists of a
series of records, delimited by BEGIN and END tags. Each record can have
multiple named properties. The iCal parser in Exchange maintains a table of
properties valid in the current context and switches to the appropriate table
upon entering a new record.

The X-MICROSOFT-CDO-MODPROPS property is an undocumented Microsoft extension
which allows the iCal file to specify a list of properties that are considered
valid in a specific record. All other properties will be ignored by Exchange.
The following example shows a typical usage of this feature:

BEGIN:VEVENT
X-MICROSOFT-CDO-MODPROPS:BEGIN,DTEND,DTSTART,END
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT

In this example, the SUMMARY property will not be processed by Exchange.

When the parser encounters the MODPROPS property, it calls
CICalSchema::AllocPropTables to allocate a new table of valid properties. The
pointer to the new table is stored in this->field_F0 and the list of valid
properties is copied into the table. If there is a second MODPROPS property, the
function will be called again and will reuse the previousely allocated table. If
the second MODPROPS element is longer than the first one, the copy loop will
write past the end of the table.

This vulnerability was fixed in MS06-019 by adding a call to
CICalSchema::FreePropTables in the beginning of the AllocPropTables function.
This ensures that the previous property table is freed and AllocPropTables
allocates a new one of sufficient size.

Unfortunately, FreePropTables also sets the this->field_28 pointer to NULL. The
NULL pointer is later used in a memcpy operation in AllocPropTables and causes
an unhandled exception, resulting in a crash of Exchange.

// Allocate a new property table

int CICalSchema::AllocPropTables(arg_0, arg_4)
{
    this->FreePropTables();

    ...

    // Allocate space for the new table

    if (this->field_F0 == NULL)
        this->field_F0 = new(vector_size*16);

    ...

    // NULL pointer dereference of this->field_28
    memcpy(&this->field_F4[offset_F4], &this->field_28[index*20], 20);
}


// Free the property table

void CICalSchema::FreePropTables()
{
    if (this->field_F0 != NULL) {
        ...

        ExFree(this->field_F0);
        this->field_F0 = NULL;
    }

    if (this->field_F4 != NULL) {
        if (this->field_28 == this->field_F4) {
            this->field_28 = NULL;      // set this->field_28 to NULL
            this->field_1C = 0;
        }

        ExFree(this->field_F4);
        this->field_F4 = NULL;
    }

    ...
}


Protection:

Determina VPS Server protects against the exploitation of this vulnerability.


Vendor response:

Microsoft issued the MS07-026 patch on May 8, 2007.


Credit:

Discovery: Alexander Sotirov, Determina Security Research