Signature Detail

DNS: TCP Response Buffer Overflow

This signature detects a DNS response sent over TCP that contains an excessive number of IP addresses (more than 100) for a single name query. A DNS response with too many addresses can overflow a buffer in certain Windows operating system versions as well as the Exchange mail server.

Extended Description

The Microsoft Windows 2003 SMTP Service and Exchange Routing Engine have been reported prone to a buffer overflow. This occurs during the processing responses to DNS lookups. Successful exploitation could allow for remote code execution in the context of the vulnerable service.

Affected Products

• Avaya definityone_media_servers
• Avaya ip600_media_servers
• Avaya modular_messaging_(mss) 1.1.0
• Avaya modular_messaging_(mss) 2.0.0
• Avaya s3400_message_application_server
• Avaya s8100_media_servers
• Microsoft exchange_server_2000 SP1
• Microsoft exchange_server_2000 SP2
• Microsoft exchange_server_2000 SP3
• Microsoft exchange_server_2000
• Microsoft exchange_server_2003
• Microsoft windows_server_2003_datacenter_edition
• Microsoft windows_server_2003_datacenter_edition_itanium
• Microsoft windows_server_2003_enterprise_edition
• Microsoft windows_server_2003_enterprise_edition_itanium
• Microsoft windows_server_2003_standard_edition
• Microsoft windows_server_2003_web_edition
• Microsoft windows_xp_64-bit_edition_version_2003 SP1
• Microsoft windows_xp_64-bit_edition_version_2003

References

• BugTraq: 11374
• CVE: CVE-2004-0840
• URL: http://www.microsoft.com/technet/security/Bulletin/MS04-035.mspx