Alert: Microsoft Security Bulletin - MS02-033

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 06/27/02


Date:         Thu, 27 Jun 2002 10:23:06 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-033.asp

Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273)

Originally posted: June 26, 2002

Summary

Who should read this bulletin: System administrators using Microsoft® Commerce Server 2000 or Commerce Server 2002

Impact of vulnerability: Four vulnerabilities, each of which could run code of attacker's choice.

Maximum Severity Rating: Critical

Recommendation: System administrators should install the patch immediately.

Affected Software:
- Microsoft Commerce Server 2000
- Microsoft Commerce Server 2002

Technical description:

Commerce Server 2000 and Commerce Server 2002 are web server products for building e-commerce sites. These products provides tools and features that simplify developing and deploying e-commerce solutions, and provide tools that let the site administrator analyze the usage of their e-commerce site.

Four vulnerabilities exist in the Commerce Server products:
- A vulnerability that results because the Profile Service contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service can be used to enable users to manage their own profile information and to research the status of their order. An attacker who provided specially malformed data to certain calls exposed by the Profile Service could cause the Commerce Server process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000.
- A buffer overrun vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who provided specially malformed data as input to the OWC package installer could cause the process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000.
- A vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who invoked the OWC package installer in a particular manner could cause commands to be run on the Commerce Server according to the privileges associated with the attacker's log on credentials. This vulnerability only affects Commerce Server 2000.
- A new variant of the ISAPI Filter vulnerability discussed in Microsoft Security Bulletin MS02-010. This variant affects both Commerce Server 2000 and Commerce Server 2002.

Mitigating factors:

Profile Service buffer overrun:
- The affected API calls in the Profile Service are not exposed to the Internet by default. The administrator must set up a Commerce Server site and include Profile Service calls as part of that site.
- The URLscan tool, if deployed using the default ruleset for Commerce Server, would make it difficult if not impossible for an attacker to exploit the vulnerability to run code, by significantly limiting the types of data that could be included in an URL. It would, however, still be possible to conduct denial of service attacks.
- Best practices for web site design can prevent this vulnerability from being exposed by limiting user input that can be accepted by input fields.OWC package buffer overrun:
- For an attack to succeed, the attacker would need to have credentials to log on to the Commerce Server 2000 computer on which the OWC package installer is kept.
- Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed, unprivileged users would not have access to Commerce Server machines.OWC package command execution:
- For an attack to succeed, the attacker would need to have credentials to log on to the Commerce Server 2000 computer on which the OWC package installer is kept.
- Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed, unprivileged users would not have access to Commerce Server machines.New variant of the ISAPI filter buffer overrun:
- Although Commerce Server does rely on IIS for its base web services, the AuthFilter ISAPI filter is only available as part of Commerce Server. Customers using IIS are at no risk from this vulnerability.
- The URLScan tool <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp>, if deployed using the default ruleset for Commerce Server, would make it difficult if not impossible for an attacker to exploit the vulnerability to run code, by significantly limiting the types of data that could be included in a URL. It would, however, still be possible to conduct denial of service attacks.
- An attacker's ability to extend control from a compromised web server to other machines would depend heavily on the specific configuration of the network. Best practices recommend that the network architecture account for the inherent high-risk that machines in an uncontrolled environment, like the Internet, face by minimizing overall exposure though measures like DMZ's, operating with minimal services and isolating contact with internal networks. Steps like this can limit overall exposure and impede an attacker's ability to broaden the scope of a possible compromise.
- While the ISAPI filter is installed by default, it is not loaded on any web site by default. It must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).

Vulnerability identifier:
- Profile service buffer overrun: CAN-2002-0620
- OWC package buffer overrun: CAN-2002-0621
- OWC package command execution: CAN-2002-0622
- New variant of the ISAPI filter buffer overrun: CAN-2002-0623

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor