Alert:Microsoft Security Bulletin - MS02-010
From: Russ (Russ.Cooper@RC.ON.CA)Date: 02/26/02
- Previous message: Russ: "Administrivia #36094 - MS Security Bulletin Notification"
- Next in thread: Mystarix: "PHP remote vulnerabilities"
- Reply: Mystarix: "PHP remote vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Feb 2002 15:05:06 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-010.asp
Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise
Originally posted: February 21, 2002
Summary
Who should read this bulletin: System administrators using Microsoft® Commerce Server 2000
Impact of vulnerability: Run code of attacker's choice.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately.
Affected Software:
- Microsoft Commerce Server 2000
Technical description:
By default, Commerce Server 2000 installs a .dll with an ISAPI filter that allows the server to provide extended functionality in response to events on the server. This filter, called AuthFilter, provides support for a variety of authentication methods. Commerce Server 2000 can also be configured to use other authentication methods.
A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server.
Mitigating factors:
- Although Commerce Server 2000 does rely on IIS for its base web services, the AuthFilter ISAPI filter is only available as part of Commerce Server. Customers using IIS are at no risk from this vulnerability.
- The URLScan tool, if deployed using the default ruleset for Commerce Server, would make it difficult if not impossible for an attacker to exploit the vulnerability to run code, by significantly limiting the types of data that could be included in an URL. It would, however, still be possible to conduct denial of service attacks.
- An attacker's ability to extend control from a compromised web server to other machines would depend heavily on the specific configuration of the network. Best practices recommend that the network architecture account for the inherent high-risk that machines in an uncontrolled environment, like the Internet, face by minimizing overall exposure though measures like DMZ's, operating with minimal services and isolating contact with internal networks. Steps like this can limit overall exposure and impede an attacker's ability to broaden the scope of a possible compromise.
- While the ISAPI filter is installed by default, it is not loaded on any web site by default. It must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).
Vulnerability identifier: CAN-2002-0050
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "Administrivia #36094 - MS Security Bulletin Notification"
- Next in thread: Mystarix: "PHP remote vulnerabilities"
- Reply: Mystarix: "PHP remote vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
