| Author |
Message |
Boris Lokhvitsky
Guest
|
 Posted:
Tue Nov 30, 2004 1:44 am Post subject:
Exchange DoS vulnerability due to possible named properties |
|
|
Hello All,
Here's a problem. Exchange Server 2003 has a hard quota limit for the named
properties of the messages stored in Exchange Information store, as
described in a KB article 820379. After the quota has been reached, numerous
error messages with Event ID 9667 and 12800 from MSExchangeIS are generated
in Exchange server's Application Log. This creates DoS conditions for the
affected Information store. If the quota is increased up to the capacity
limit of the named properties table (32,000), server can become unresponsive
to client requests.
Named properties quota overflow can be caused by malicious spammers sending
messages with randomly created SMTP X-headers. According to RFC 822, all
X-headers should be passed transparently through SMTP gateways and thus are
being accumulated in Exchange Information store.
Increasing the registry quota limit as described in KB 820379 is just a
temporary workaround since in case of continued attacks the new increased
quota will be hit very soon again, and the registry quota setting cannot
exceed the hardcoded limit of 32,000 anyway.
Another possible workaround is to move all mailboxes from the affected
Information store to another store or server. This might be a very
trouble-making operation in case of numerous actively working users, and it
still doesn't solve the problem but just delays it until named properties
quota limit is exceeded for the new database.
It would be nice to have a solution to this problem, not just a workaround.
For example, the possibility to clean up the named properties tables, or a
significant increase of the tables capacity. Maybe it is possible to write
an event sink analyzing and filtering out excessive unnecessary X-headers.
Any thoughts and/or feedback is highly appreciated, especially from MS
Exchange team.
Regards,
Boris
|
|
| Back to top |
|
 |
Andy Webb
Guest
|
| Posted:
Wed Dec 01, 2004 1:37 pm Post subject:
Re: Exchange DoS vulnerability due to possible named propert |
|
|
X-headers aren't stored as individual named properties, so that wouldn't be
an attack vector.
--
========================================
ERM (Exchange Resource Manager) Released!
http://www.swinc.com/erm
========================================
"Boris Lokhvitsky" <msexpert@community.nospam> wrote in message
news:uBL5Mvk1EHA.2568@TK2MSFTNGP11.phx.gbl...
| Quote: | Hello All,
Here's a problem. Exchange Server 2003 has a hard quota limit for the
named
properties of the messages stored in Exchange Information store, as
described in a KB article 820379. After the quota has been reached,
numerous
error messages with Event ID 9667 and 12800 from MSExchangeIS are
generated
in Exchange server's Application Log. This creates DoS conditions for the
affected Information store. If the quota is increased up to the capacity
limit of the named properties table (32,000), server can become
unresponsive
to client requests.
Named properties quota overflow can be caused by malicious spammers
sending
messages with randomly created SMTP X-headers. According to RFC 822, all
X-headers should be passed transparently through SMTP gateways and thus
are
being accumulated in Exchange Information store.
Increasing the registry quota limit as described in KB 820379 is just a
temporary workaround since in case of continued attacks the new increased
quota will be hit very soon again, and the registry quota setting cannot
exceed the hardcoded limit of 32,000 anyway.
Another possible workaround is to move all mailboxes from the affected
Information store to another store or server. This might be a very
trouble-making operation in case of numerous actively working users, and
it
still doesn't solve the problem but just delays it until named properties
quota limit is exceeded for the new database.
It would be nice to have a solution to this problem, not just a
workaround.
For example, the possibility to clean up the named properties tables, or a
significant increase of the tables capacity. Maybe it is possible to write
an event sink analyzing and filtering out excessive unnecessary X-headers.
Any thoughts and/or feedback is highly appreciated, especially from MS
Exchange team.
Regards,
Boris
|
|
|
| Back to top |
|
|
Boris Lokhvitsky
Guest
|
| Posted:
Wed Dec 01, 2004 11:38 pm Post subject:
Re: Exchange DoS vulnerability due to possible named propert |
|
|
Thanks Andy,
Either they are, or these named properties originate not from the X-headers
(though this was also an opinion of MS support engineer).
Every minute or less I am getting error events in Exchange Application log
with Event ID 9667 and 12800, with the following contents:
Failed to create a new named property for database "First Storage
Group\Mailbox Store (ServerName)" because the number of named properties
reached the quota limit (16384).
User attempting to create the named property: "BESAdmin"
Named property GUID: 00020386-0000-0000-c000-000000000046
Named property name/id: "babiche-asweat"
So my Application Log is all flooded with these errors.
Names of the named properties vary, but for the most part they are
combinations of two random words, for example:
abdominothoracic-birthplace
absolute-anteconsonantal
abundancy-canorously
accelerando-armilla
accretal-bedark
acidosteophyte-adipopexia
acronically-bronchotome
adjunction-Argean
adjunctively-bullfighting
adularescence-aval
adverseness-akepiro
aeronef-betoil
aeruginous-alalus
afghanistan-bacterial
afterwards-bicornuate
(I just took some of them to illustrate).
If this is not a DoS condition, then what is it? And how to get rid of these
named properties?
Regards,
Boris
P.S. I know about several other cases, where failed attempts to create named
properties were originated from the System account, so this is not a
Blackberry (BES) specific problem...
"Andy Webb" <andy.webb@swinc.com.spamsucks.com> wrote in message
news:%23YWvBi31EHA.3816@TK2MSFTNGP09.phx.gbl...
| Quote: | X-headers aren't stored as individual named properties, so that wouldn't
be
an attack vector.
--
========================================
ERM (Exchange Resource Manager) Released!
http://www.swinc.com/erm
========================================
"Boris Lokhvitsky" <msexpert@community.nospam> wrote in message
news:uBL5Mvk1EHA.2568@TK2MSFTNGP11.phx.gbl...
Hello All,
Here's a problem. Exchange Server 2003 has a hard quota limit for the
named
properties of the messages stored in Exchange Information store, as
described in a KB article 820379. After the quota has been reached,
numerous
error messages with Event ID 9667 and 12800 from MSExchangeIS are
generated
in Exchange server's Application Log. This creates DoS conditions for
the
affected Information store. If the quota is increased up to the capacity
limit of the named properties table (32,000), server can become
unresponsive
to client requests.
Named properties quota overflow can be caused by malicious spammers
sending
messages with randomly created SMTP X-headers. According to RFC 822, all
X-headers should be passed transparently through SMTP gateways and thus
are
being accumulated in Exchange Information store.
Increasing the registry quota limit as described in KB 820379 is just a
temporary workaround since in case of continued attacks the new
increased
quota will be hit very soon again, and the registry quota setting cannot
exceed the hardcoded limit of 32,000 anyway.
Another possible workaround is to move all mailboxes from the affected
Information store to another store or server. This might be a very
trouble-making operation in case of numerous actively working users, and
it
still doesn't solve the problem but just delays it until named
properties
quota limit is exceeded for the new database.
It would be nice to have a solution to this problem, not just a
workaround.
For example, the possibility to clean up the named properties tables, or
a
significant increase of the tables capacity. Maybe it is possible to
write
an event sink analyzing and filtering out excessive unnecessary
X-headers.
Any thoughts and/or feedback is highly appreciated, especially from MS
Exchange team.
Regards,
Boris
|
|
|
| Back to top |
|
|
Guest
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in