CVE-2005-0560
published 2005-05-02CVE-2005-0560: Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.48%
99.3th percentile
Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\xD5\x01\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x5F\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0D\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\xff\xd0\xe8\xc4\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x73\x74\x4e
- →Detect exploitation attempts by monitoring SMTP traffic on port 25 for the extended verb command 'X-LINK2STATE' followed by a CHUNK parameter containing large repeated byte sequences (e.g., 1000+ 'A' characters), indicative of heap overflow staging. ↗
- →The exploit sends two separate TCP connections to port 25, each issuing EHLO followed by X-LINK2STATE CHUNK= with oversized payloads. Detecting multiple rapid SMTP connections with this pattern from the same source IP is a strong indicator of exploitation. ↗
- →The second chunk of the exploit embeds a short JMP (\xEB\x10) followed by a return address and shellcode. Inspect SMTP CHUNK payloads for the byte sequence EB 10 at offset ~30 bytes into the data as a heap-spray/overflow trigger signature. ↗
- →The vulnerable function SvrAppendReceivedChunk resides in xlsasink.dll. Monitor for unexpected crashes or code execution originating from this DLL in the Exchange SMTP service process. ↗
- ·The exploit's hardcoded return addresses (EAX, ECX) target specific DLL base addresses on Windows 2000 Server SP4 EN with Exchange 2000 SP3. These offsets will differ on other OS/SP/Exchange versions and are not universally reliable. ↗
- ·The exploit was tested only on Windows 2000 Server SP4 EN with Microsoft Exchange 2000 SP3. Exploitation behavior against Exchange 2003 or different service pack levels may vary. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111393947713420&w=2http://secunia.com/advisories/14920/http://www.kb.cert.org/vuls/id/275193http://www.osvdb.org/displayvuln.php?osvdb_id=15467http://www.us-cert.gov/cas/techalerts/TA05-102A.htmlhttp://xforce.iss.net/xforce/alerts/id/193https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-021https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4032http://marc.info/?l=bugtraq&m=111393947713420&w=2http://secunia.com/advisories/14920/http://www.kb.cert.org/vuls/id/275193http://www.osvdb.org/displayvuln.php?osvdb_id=15467http://www.us-cert.gov/cas/techalerts/TA05-102A.htmlhttp://xforce.iss.net/xforce/alerts/id/193https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-021https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4032
2005-05-02
Published