Alert: Microsoft Security Bulletin - MS02-041

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 08/09/02


Date:         Fri, 9 Aug 2002 13:36:36 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-041.asp

Unchecked Buffer in Content Management Server Could Enable Server Compromise (Q326075)

Originally posted: August 7, 2002

Summary

Who should read this bulletin: System administrators using Microsoft® Content Management Server 2001.

Impact of vulnerability: Three vulnerabilities, the most serious of which could enable an attacker to gain full control over the server

Maximum Severity Rating: Critical

Recommendation: System administrators should apply the patch immediately.

Affected Software:
- Microsoft Content Management Server 2001

Technical description:

Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise Server product that simplifies developing and managing e-business web sites. Microsoft has learned of three security vulnerabilities affecting it:
- A buffer overrun in a low-level function that performs user authentication. At least one web page included with MCMS 2001 passes inputs directly to the function, thereby potentially providing a way for an attacker to overrun the buffer. The result of exploiting the vulnerability would be to either cause MCMS to fail, or run code in the context of the MCMS service (which runs as Local System).
- A vulnerability resulting from the confluence of two flaws affecting a function that allows files to be uploaded to the server. The first flaw lies in how the function authenticates requests, and would allow any user to submit an upload request. The second results because it is possible to override the upload location; where the function should upload files to a folder that only privileged users can access, it can be overridden to upload it to a temporary folder that does allow unprivileged users to call it. By exploiting the two flaws in tandem, an attacker could upload an .ASP or other file to the server, in a location from which it could be executed.
- A SQL injection vulnerability affecting a function that services requests for image files and other resources. Exploiting the vulnerability could enable an attacker to run SQL commands on the server, which would not only allow data in the MCMS database to be added, changed or deleted, but also would enable the attacker to run operating system commands on the server.

Mitigating factors:

Buffer Overrun in MCMS Authentication Operation:
- The scope of the vulnerability could be significantly reduced if the URLScan tool were deployed on the server. It is likely that in this case, the vulnerability could only be used for denial of service attacks.Program Execution via MCMS Authoring Function:
- Exploiting the vulnerability would not grant the attacker administrative privileges on the server. Instead, the attacker's code would execute in the security context of the Web Application Manager (the IWAM_computername account), which has similar privileges to those of an interactively logged-on user.SQL Injection via MCMS Resource Request:
- Exploiting the vulnerability would not grant the attacker administrative privileges on the server. Instead, any operating system commands would be levied in the security context of the SQL Server(tm) 2000 service, which by default has only Domain User privileges.

Vulnerability identifiers:
- Buffer Overrun in MCMS Authentication Operation:
CAN-2002-0700
- Program Execution via MCMS Authoring Function:
CAN-2002-0718
- SQL Injection via MCMS Resource Request:
CAN-2002-0719

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor